MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4
SHA3-384 hash: bea930f75ee0a71f410498c3f704dca54d4b9d9b751ddd254771fc11bf6da243c164ce99c5bbad3a0db9c32230aeba96
SHA1 hash: d8e05d80a918947d56b7a410a545bfe3caedbf3e
MD5 hash: d883d9c4eb5bbaf4d4b3131d1ec71349
humanhash: london-mike-orange-pip
File name:d883d9c4eb5bbaf4d4b3131d1ec71349
Download: download sample
Signature a310Logger
Create hunting rule
File size:27'648 bytes
First seen:2021-09-21 20:38:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:jr/bqE6ZsqtIffTLwN8ElEJc1JHAzmnzmJrRSa8HA+uwPJRhSbiVECqR:jr/b98NiffTLwN1EOHeMKJd4gnL
Threatray 4'343 similar samples on MalwareBazaar
TLSH T1D6C25300F654CD23F2E10A325E6792852539EE0BDC52AA5FAB5B3F0F7DB124C45CEA51
File icon (PE):PE icon
dhash icon 4730d8d4d4d83047 (3 x a310Logger, 2 x Formbook, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d883d9c4eb5bbaf4d4b3131d1ec71349
Verdict:
Malicious activity
Analysis date:
2021-09-21 20:40:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f01b1640-1c3f-4d9b-b03b-653938d16c59

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190001/
Detection(s):
SecuriteInfo.com.Variant.Bulz.738879.1565.2193.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af9a6652-5a31-4283-a8c0-4ce3c77ace2d
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855216
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 487647 Sample: v9t1gGwihm Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 68 www.twitter.com 2->68 70 www.google.com 2->70 72 3 other IPs or domains 2->72 106 Malicious sample detected (through community Yara rule) 2->106 108 Multi AV Scanner detection for dropped file 2->108 110 Multi AV Scanner detection for submitted file 2->110 112 6 other signatures 2->112 8 v9t1gGwihm.exe 16 9 2->8         started        13 put.exe 2->13         started        15 put.exe 2->15         started        signatures3 process4 dnsIp5 90 store2.gofile.io 31.14.69.10, 443, 49749, 49834 LINKER-ASFR Virgin Islands (BRITISH) 8->90 56 C:\Users\user\AppData\Roaming\...\put.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\...\v9t1gGwihm.exe, PE32 8->58 dropped 60 C:\Users\user\...\put.exe:Zone.Identifier, ASCII 8->60 dropped 66 2 other malicious files 8->66 dropped 120 Writes to foreign memory regions 8->120 122 Allocates memory in foreign processes 8->122 124 Uses powershell Test-Connection to delay payload execution; 8->124 17 v9t1gGwihm.exe 8->17         started        20 powershell.exe 18 8->20         started        23 powershell.exe 18 8->23         started        31 2 other processes 8->31 62 C:\Users\user\AppData\Local\Temp\put.exe, PE32 13->62 dropped 64 C:\Users\user\...\put.exe:Zone.Identifier, ASCII 13->64 dropped 25 put.exe 13->25         started        27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        33 2 other processes 13->33 126 Injects a PE file into a foreign processes 15->126 35 4 other processes 15->35 file6 signatures7 process8 dnsIp9 92 Multi AV Scanner detection for dropped file 17->92 94 Detected unpacking (creates a PE file in dynamic memory) 17->94 96 Machine Learning detection for dropped file 17->96 104 3 other signatures 17->104 37 AppLaunch.exe 17->37         started        40 AppLaunch.exe 17->40         started        78 2 other IPs or domains 20->78 42 conhost.exe 20->42         started        80 2 other IPs or domains 23->80 44 conhost.exe 23->44         started        74 restd.xyz 68.65.123.120, 49836, 587 NAMECHEAP-NETUS United States 25->74 98 Performs DNS queries to domains with low reputation 25->98 100 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->100 102 Writes to foreign memory regions 25->102 76 www.google.com 27->76 46 conhost.exe 27->46         started        82 2 other IPs or domains 29->82 48 conhost.exe 29->48         started        84 4 other IPs or domains 31->84 50 2 other processes 31->50 86 2 other IPs or domains 33->86 52 2 other processes 33->52 88 5 other IPs or domains 35->88 54 4 other processes 35->54 signatures10 process11 signatures12 114 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->114 116 Tries to steal Mail credentials (via file access) 37->116 118 Tries to harvest and steal browser information (history, passwords, etc) 37->118
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4/
Threat name:
ByteCode-MSIL.Trojan.KryptikAGen
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 15:20:56 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhc4lbqnvuetvkcaqywrrdckc6zxfpiauvynlwmdd2tnu3sitt2a._file
Verdict:
malicious
Similar samples:
01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901
a310Logger
1fbc3ddcd892c868cab037f43fcee5cd1dd67f5ce0ac882d851603bdc934ec43
a310Logger
3c17d6b6676bffb1a963784f757c163023961aa29364aeaa0f78d2790ed5b073
a310Logger
3ece92463dcf24cb48108755946de3060883611669b3f54217e5600f06044883
a310Logger
674a7b749bea309b2f9157e187a92fc0da9ce79b3a9ee4f3c85e6b58dd961789
a310Logger
99a3e2ebd1bc060c20f9d968c9fb58bca75e81a311ac8b9d0fbf7891f725fb53
a310Logger
dafada11163e9ed5459a4759f6f18561db820214a5ce6f0752083af1faf70369
a310Logger
+ 4'333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210921-ze9y5sddan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4
MD5 hash:
d883d9c4eb5bbaf4d4b3131d1ec71349
SHA1 hash:
d8e05d80a918947d56b7a410a545bfe3caedbf3e
Link:
https://www.unpac.me/results/81500af7-91b8-44ce-a5a4-fb2429630fd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 69c5c5860dad093aa840862d188c4a17b372bd00a570d5d9831ea6da6e489cf4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1638746/
Cape
Cape
https://www.capesandbox.com/analysis/190001/

Comments


Avatar
zbet commented on 2021-09-21 20:38:40 UTC

url : hxxp://52.58.97.51/4r/u/new_requests_5022058.exe