MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 18


Intelligence 18 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
SHA3-384 hash: ba63065170821a34fc945c6b081ca0fca207c185f870c39abfabbd3585197ccf6a56ae9b73b0e5caac8873e667678eac
SHA1 hash: d4301dc5857377e519ecdbedc4e8dcad232b40c4
MD5 hash: 88189c48a13bb45636f6c846ffcd8158
humanhash: london-pasta-jersey-wolfram
File name:Modelo.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:674'304 bytes
First seen:2025-06-02 07:30:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:+aAmpe0ENz19FEAF4tcdtPfQQ87zE8wBszZdhbxYXBNR7va+6Aiic:TWFBS+d9R8s8wBCbhbkva+6M
Threatray 156 similar samples on MalwareBazaar
TLSH T1E0E412037BCA8322EC5855B580EB013513F0FBA626B3E6963F0D3BAD5D127839DC5699
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
430
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://bazaar.abuse.ch/browse/
Verdict:
Suspicious activity
Analysis date:
2025-06-02 08:06:34 UTC
Tags:
arch-exec
Link:
https://app.any.run/tasks/6e4e3d1f-99cd-42e2-81c1-76d9d3e39980

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/6841/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.29713.14219.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683d55d7acf88f5815eb1c3d
Tags:
virus msil hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 net_reactor obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/683d535bfd02ed5e05931f50/reports/30d214c4-b137-4aca-bdae-559dde82aca1/overview
Verdict:
Malicious
Labled as:
RiskWare[Obfuscator]/MSIL.Reactor
Link:
https://www.hybrid-analysis.com/sample/6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/272ea0c7-275e-4cef-bbc8-4592cbdbc4af
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703790
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-02 01:04:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6lqerjs3qsasilihi3wtszrplx4mc7ytsernma6qcuaiz27osdq._file
Verdict:
malicious
Label(s):
fantomcrypt
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
093a859374e0c960e8cc38fa48d4dd042122ce5f1ed51574e9482696c7feb011
a310Logger
7b9d010e0fe5a9696c5fb1020d8a3c9e1272e7442f4ba841c83d3b0ee001466a
a310Logger
d565861451e345eee7218601370d14df9b696df6a8eeb857df9c55314a4e896b
a310Logger
dc6ccef702d63f94fcfe296035d6fd3125a814f94d9fd1d36dbc1f464efb0595
a310Logger
error
a310Logger
f4484aedb6bcc06405642dd598c025c97f57c26267cf1d59ddc607d5c2c41626
a310Logger
+ 146 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery spyware stealer
Link:
https://tria.ge/reports/250602-jcky8sxthv/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
darkcloud
YARA:
n/a
Link:
https://app.threat.zone/submission/c061d8f8-3914-489d-a4ff-b227cb4316d7
Unpacked files
SH256 hash:
6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
MD5 hash:
88189c48a13bb45636f6c846ffcd8158
SHA1 hash:
d4301dc5857377e519ecdbedc4e8dcad232b40c4
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
f9459e2956ae1400c2ea76e8ed958d62763c93423546f9ea242c1a3907d48a0c
MD5 hash:
85a6b12575bcd6c93ef01b1057ea93d3
SHA1 hash:
a9731c1f27232d875462a0224779510868c23f9e
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
e30c8132a1b03d94ad6bc72d29076da537c16ae54f3113a1c7ddfcba2494f915
MD5 hash:
5b23d4a69fb7ac7c22444cee817119a3
SHA1 hash:
e813e313c2c560fcb1ab9e867168b2a369836253
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
dcfcd16fbf0511d3f2b3792e5493fa22d7291e4bb2efbfa5ade5002a04fc2cab
MD5 hash:
073a17b6cfb1112c6c838b2fba06a657
SHA1 hash:
a54bb22489eaa8c52eb3e512aee522320530b0be
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
3fe966e21625f83eccdcc49762305a16e6c488397b4e08a98e1be48d93c3a571
MD5 hash:
884c22791622cbd6edc8ad0dfcea87f2
SHA1 hash:
8b2b539c86f49597a05a289fda4ac27b2fd1c177
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
Parent samples :
fb50faa852bc2917ace3552b02c754c91872d0892e247f51a1e48336e598d6ef
6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
8e36d4f98a882487bedbedf73cbb010f793c7bb529d133a58673a14850198f9f
SH256 hash:
5dece9dcb152f7120d841f1022a5871df97bcc5db2348a0836cf07c90c8b2f49
MD5 hash:
c9febbb8b16476f5a19285f26f809bc3
SHA1 hash:
bb56daf0ce2f8943ea21773c162cd4cbc08ef54b
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
a4b650d8c82e90aec370772dea8c3b975beb09a5cfd85d14ae4639f15d899805
MD5 hash:
9d5cb57e4c209c15a5cf80e40628dd3e
SHA1 hash:
d2d077602434cf3a094eb4e458f1e0c9c95f3799
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
Parent samples :
6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487
6a137ea88f8650db50621709cd357618a2b28cfe65d3d9e6e4663223e2e3ffa0
SH256 hash:
7c6d68d7b4d70aa8c81e84d04cc734072adb80429195c2c8256215f1096063b6
MD5 hash:
3775f13ed7d6735c2d10824c38328027
SHA1 hash:
85294d9ec3362e0bddab0bd97b7868fbbee98925
Detections:
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
SH256 hash:
9f84fd66f6b751cf28a5d8ea0949ed7d825f7d5d00edd597305d1684c48cd99c
MD5 hash:
525498fd09536c0effb3f6bdb694b5d2
SHA1 hash:
0b412134e22ff5eca717a3e9449483410d61671b
Link:
https://www.unpac.me/results/2ee8ea82-3d1b-447c-a28b-cb6510f1751c/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6f97024532dc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 6f97024532dc240921683a3769cb317aefc60bf89c8916b01e80a804675f7487

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/6841/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments