MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d
SHA3-384 hash: 97aaa510bc379d9a48e8ce1f8da1a2fb00229b26d424fc7f752da6c9b82ca3683aa49c585f649ba448dd001649abf144
SHA1 hash: bcd0969fa8441be09d256585a7bd7073d2725f59
MD5 hash: 9ee21b7bda8668d0a5e41273d0ce1291
humanhash: speaker-fourteen-snake-november
File name:TT09879087700U.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:753'525 bytes
First seen:2021-08-17 13:57:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9aef503b3e4a8eb831af674be5da9e3 (8 x Loki, 3 x Formbook, 1 x a310Logger)
ssdeep 12288:r7T2OCm5I7wjmyGR7GjOzv1S87j4HtkqYrp9yo0BNhc96DH/ofO/oKc:r7T2OCjkjmykyjOhH4HOqspDQ9X/M
Threatray 1'169 similar samples on MalwareBazaar
TLSH T1E4F4E0017581C0B1C39275F2541DE2AB59247E709E11898BE7B43FA1EB32AB3ED64B1F
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT09879087700U.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-17 14:00:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/475db37a-2fcd-46ce-a689-91e9b8e3e1f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
JKeylogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/179995/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1058545a-9dfc-447a-bf93-6e6e66a23e76
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834528
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467041 Sample: TT09879087700U.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 47 clientconfig.passport.net 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected a310Logger 2->53 55 4 other signatures 2->55 9 TT09879087700U.exe 1 2->9         started        signatures3 process4 signatures5 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->67 69 Maps a DLL or memory area into another process 9->69 12 TT09879087700U.exe 1 9->12         started        15 conhost.exe 9->15         started        process6 signatures7 71 Writes to foreign memory regions 12->71 73 Allocates memory in foreign processes 12->73 75 Injects a PE file into a foreign processes 12->75 17 AppLaunch.exe 15 5 12->17         started        22 AppLaunch.exe 4 12->22         started        24 AppLaunch.exe 12->24         started        26 AppLaunch.exe 1 12->26         started        process8 dnsIp9 39 236.76.10.0.in-addr.arpa 17->39 41 icanhazip.com 104.18.7.156, 49722, 49723, 80 CLOUDFLARENETUS United States 17->41 35 C:\Users\user\AppData\...\gdyMFizp.exe, PE32 17->35 dropped 57 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->57 59 May check the online IP address of the machine 17->59 61 Tries to steal Instant Messenger accounts or passwords 17->61 28 gdyMFizp.exe 1 17->28         started        43 236.76.10.0.in-addr.arpa 22->43 45 192.168.2.1 unknown unknown 22->45 37 C:\Users\user\AppData\...\zWCSwIEh.exe, PE32 22->37 dropped 63 Tries to steal Mail credentials (via file access) 22->63 65 Tries to harvest and steal browser information (history, passwords, etc) 22->65 31 zWCSwIEh.exe 1 22->31         started        33 WerFault.exe 24->33         started        file10 signatures11 process12 signatures13 77 Multi AV Scanner detection for dropped file 28->77 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 12:46:36 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oofeqvbjv6mcv7twjq4sgj5ndfalydrmkpsgztv4pz2srk5ktsoq._file
Verdict:
suspicious
Similar samples:
06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7
a310Logger
413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27
a310Logger
509af0a6b4ca7a15a4eb64458a1863e37727493c5933781e501de65fb6d858e5
a310Logger
60ac6dfe6cbf92960e313300091e733c0b4a2bca9f8de41f3543bc2d06ba4328
a310Logger
7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
a310Logger
b372ba907ad4c120ac6ddd86e8de1821d19dffef023bd32c18359bcf82326842
a310Logger
c56bc83a9e77b9ee422f659aaebab96027d0e5c57dce023a0f5939a96964d620
a310Logger
d4de821098d687d2705eeab129a0199f36be76878c0093f9de0299a79ae957ac
a310Logger
f0392c0072530a0fbb36542ab364e98512d222fb9074b11f553bf107a5e4dec6
a310Logger
+ 1'159 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210817-tc87eal2an/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
222d5ee653e1f49ac910e881455204b68ae162b93f0dada9e8fb540de23b35e2
MD5 hash:
be50b49dfd4f7940b92796a8459ba69d
SHA1 hash:
ea7c0ba1f31f3e9dc06cc9d32c1778f2abf16156
Link:
https://www.unpac.me/results/0d31120a-8238-42b9-bbb6-813e902480a2/
SH256 hash:
738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d
MD5 hash:
9ee21b7bda8668d0a5e41273d0ce1291
SHA1 hash:
bcd0969fa8441be09d256585a7bd7073d2725f59
Link:
https://www.unpac.me/results/0d31120a-8238-42b9-bbb6-813e902480a2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/738a485429af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/179995/

Comments