MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 16


Intelligence 16 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c
SHA3-384 hash: 38e485bad30c91e4779464d24a654704aae9df59022627b902541e117a296050d8a55d662c34d4ed67922f9db428ac24
SHA1 hash: c011cf60628fbdab6a4482218c0ef53bc3f38c5c
MD5 hash: ced1e50ef75e085be8959ef2e5f978ac
humanhash: fanta-mars-california-indigo
File name:產品 (po908763201) 緊急報價.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'672'192 bytes
First seen:2025-11-11 11:58:44 UTC
Last seen:2025-12-08 14:38:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e66020c2087d55c698a700631e068e0a (5 x a310Logger, 1 x XWorm)
ssdeep 24576:TyjqBQcK7Y9W+rT4KhdRPtzhEQLfW9fOZ71swUmKCHb:TdL0m3feOhM
TLSH T19375D052B1904536C1371538AC02AF646529FE232D3BE84636EC3E4B7FFB291781AD97
TrID 45.4% (.EXE) Win64 Executable (generic) (10522/11/4)
19.4% (.EXE) Win32 Executable (generic) (4504/4/1)
8.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
產品 (po908763201) 緊急報價.exe
Verdict:
Malicious activity
Analysis date:
2025-11-11 12:02:00 UTC
Tags:
delphi dbatloader loader
Link:
https://app.any.run/tasks/038efd29-ad74-4608-bb82-b62207993731

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36764/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69132515ac1ae236e17963d2
Tags:
delphi emotet
Verdict:
Malicious
Labled as:
TrojanDownloader/ModiLoader.a
Link:
https://www.hybrid-analysis.com/sample/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-11T08:01:00Z UTC
Last seen:
2025-11-13T10:14:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb HEUR:Backdoor.Win32.Remcos.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb
Link:
https://opentip.kaspersky.com/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c/results?tab=lookup
Malware family:
ModiLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/efd4340d-6f41-46eb-856e-dda932570670
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1812010
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected DBatLoader
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1812010 Sample: #U7522#U54c1 (po908763201) ... Startdate: 11/11/2025 Architecture: WINDOWS Score: 100 52 api.telegram.org 2->52 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 72 12 other signatures 2->72 10 #U7522#U54c1 (po908763201) #U7dca#U6025#U5831#U50f9.exe 1 2->10         started        signatures3 70 Uses the Telegram API (likely for C&C communication) 52->70 process4 file5 46 C:\Users\Public\imqjlqcaV.exe, PE32 10->46 dropped 74 Writes to foreign memory regions 10->74 76 Allocates memory in foreign processes 10->76 78 Sample uses process hollowing technique 10->78 80 Allocates many large memory junks 10->80 14 imqjlqcaV.exe 2 17 10->14         started        signatures6 process7 dnsIp8 54 api.telegram.org 149.154.167.220, 443, 49721 TELEGRAMRU United Kingdom 14->54 48 C:\Users\user\AppData\...\chrome.exe (copy), PE32 14->48 dropped 50 C:\Users\user\AppData\...\Project1.exe, PE32 14->50 dropped 56 Detected unpacking (changes PE section rights) 14->56 58 Detected unpacking (overwrites its own PE header) 14->58 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->60 62 2 other signatures 14->62 19 chrome.exe 2 14->19         started        22 taskkill.exe 1 14->22         started        24 GoogleChrome.exe 1 14->24         started        26 22 other processes 14->26 file9 signatures10 process11 file12 44 C:\Program Filesbehaviorgraphoogle\...behaviorgraphoogleChrome.exe, PE32 19->44 dropped 28 GoogleChrome.exe 1 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 19 other processes 26->40 process13 process14 42 conhost.exe 28->42         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/ced1e50ef75e085be8959ef2e5f978ac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-11-11 11:59:16 UTC
File Type:
PE (Exe)
Extracted files:
47
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojio6jgkuqm5y2vnevwlqgp6kur54xqko5r4u2k4cvqc6aleroga._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
error
a310Logger
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery trojan
Link:
https://tria.ge/reports/251111-n5sxrsvlbl/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/22aa5a2d-11d6-433c-8aea-792d07938a33
Unpacked files
SH256 hash:
7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c
MD5 hash:
ced1e50ef75e085be8959ef2e5f978ac
SHA1 hash:
c011cf60628fbdab6a4482218c0ef53bc3f38c5c
Link:
https://www.unpac.me/results/8c9691dd-9b76-4ca1-8e2f-d50bc9053018/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7250ef24caa4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TelegramAPIMalware_PowerShell_EXE
Create hunting rule
Author:@polygonben
Description:Hunting for pwsh malware using Telegram for C2
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 7250ef24caa419dc6aad256cb819fe5523de5e0a7763ca695c15602f01648b8c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/36764/

Comments