MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 10

Intelligence 10 IOCs YARA 21 File information Comments

SHA256 hash:	7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249
SHA3-384 hash:	21aa3fd33dbe688fb2cd7a23feec9d9b32f6f14ac1c60b897611d86a761b7fece553b55cbc4d8412473746d1a7ac6bf8
SHA1 hash:	e4e880f24320b02fd189bcd123a7c12a0f0169d0
MD5 hash:	deec8a9f04003a81e51d1fda11519b48
humanhash:	spaghetti-spring-berlin-april
File name:	Pre PPC order 1201.rar
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	746'393 bytes
First seen:	2025-12-05 16:26:40 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:rE2etMKoQnaYgEo4PgA8Ohe+JjCZqME6Z3ax8z5RCna0R3cjn4sNgh7qb:rE2KKQnarEoZ4e+5CZF0x8z5Ina0Rxub
TLSH	T172F4333E0744AA753C8FB0011DA8AB0D89B7A334A3F526E780DD1A1FF79E85D75A3115
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	a310logger rar

cocaman

Malicious email (T1566.001)
From: "Chen Zheng <zchen@dfyf.com>" (likely spoofed)
Received: "from dfyf.com (unknown [176.67.81.234]) "
Date: "03 Dec 2025 19:40:08 -0800"
Subject: "order + H67A Pre PPC order 1201"
Attachment: "Pre PPC order 1201.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	Pre PPC order 1201.exe
File size:	1'275'392 bytes
SHA256 hash:	36b00383e570627344465a94937f2846bbe07f99426becf8f916ced4304ab920
MD5 hash:	33444da979782a44c347d12d384b82fa
MIME type:	application/x-dosexec
Signature	a310Logger

Vendor Threat Intelligence

Details

Link:

https://research.acce.ciphertechsolutions.com/results/8fd6897e-e76a-4d9d-be97-836ee4969b00/

Detection(s):

SecuriteInfo.com.Win32.Trojan.Agent.35E5V6.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=693307ef31688d480ab31361

Tags:

autoit emotet

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger masquerade microsoft_visual_cc packed

Link:

https://www.filescan.io/uploads/693307ecbba50eaf04234606/reports/7e6ae38c-954b-4913-9d95-646ec7125899/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249

Verdict:

Malicious

File Type:

rar

First seen:

2025-12-04T06:27:00Z UTC

Last seen:

2025-12-07T13:55:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249/results?tab=lookup

Verdict:

Malware

YARA:

1 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Rar Archive Suspect

Link:

https://app.malva.re/file/deec8a9f04003a81e51d1fda11519b48

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249/

Threat name:

Script-AutoIt.Trojan.Heuristic

Status:

Malicious

First seen:

2025-12-04 12:19:01 UTC

AV detection:

17 of 24 (70.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pode463vckx5bso6spec3pxa5uqbyk6voo7ov4nsp73kz6kcmjeq._file

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery stealer

Link:

https://tria.ge/reports/251205-t8cylsdl8v/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Drops startup file

Executes dropped EXE

DarkCloud

Darkcloud family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/7b864e7b7512afd0c9de93c82dbee0ed201c2bd573beeaf1b27ff6acf9426249

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	MALWARE_Win_DarkCloud Create hunting rule
Author:	ditekSHen
Description:	Detects DarkCloud infostealer

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	TH_Generic_MassHunt_Win_Malware_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Generic Windows malware mass-hunt rule - 2025
Reference:	https://cyfare.net/