MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
SHA3-384 hash: 52250770545f33393344cd13eabe80bc3720fa280431658f29107e4b75e58a42b3ac917afc4e54252c319fb9ae0f0f02
SHA1 hash: ec0af2bed71b0a465618bd47cf84d293e9ca6a86
MD5 hash: c39e31e3f5062f709eb4acec07ab76a7
humanhash: magazine-cat-zebra-spring
File name:QUOTATON#0034385.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'012'736 bytes
First seen:2025-10-24 06:52:29 UTC
Last seen:2025-11-06 11:15:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:KU2KB3a2NBfBq52QJsW5k6Yfa4k71qHNMTMBUeKXG+3HUc0:V2KVa23Bq57JZkCxkNMge53t0
Threatray 1'794 similar samples on MalwareBazaar
TLSH T10C2512947B2EDE16D8A05BF14EA0D37017B46E1EB161E21B9FE67DEB7136B120804723
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684.exe
Verdict:
No threats detected
Analysis date:
2025-10-24 06:53:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/21918202-37be-4487-96e4-73ccdad659c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34004/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fb22453bdc93eb0563c370
Tags:
virus msil hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68fb22443a79800405f44bcf/reports/ef812419-77c1-41e7-a5aa-efbb121625a5/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-23T06:27:00Z UTC
Last seen:
2025-10-25T06:59:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb Trojan-Spy.Stealer.FTP.C&C PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb NetTool.PlainTextCredentials.FTP.C&C HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/179714a1-c731-47f2-901c-bb9bc9e9c5d7
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801083
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684/
Verdict:
Malicious
Threat:
Trojan.MSIL.XWorm
Link:
https://tip.neiki.dev/file/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-10-23 09:16:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=px3lmgdhdi3bcrt4q6mgmmn7527wkcgyk72rarqfh5nfalsoa2ca._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
115a714af8c65c7c1c7e9d845051a4289d22259e5d06bfa4a08af20c921b359a
a310Logger
43d7aada2fc0643b2edd373d5cd86f86f441040fbbd578820d271829b6ff0796
a310Logger
aa7f31356193b7ed4e58e0ccc15635e3df06eaba6a81c0ff23bd68f17db18b87
a310Logger
d80e5353fa1942cb04ab1f9616e401835a42d292e4b4630a79340f1776eebe8b
a310Logger
d921ee044d098e85b056e92b67698a8aa4df20a074ae73c67e9fcd1f549af1f6
a310Logger
+ 1'784 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/251024-hnhsksxpbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/23d56885-ca62-4873-8d15-ee17e2863526
Unpacked files
SH256 hash:
7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
MD5 hash:
c39e31e3f5062f709eb4acec07ab76a7
SHA1 hash:
ec0af2bed71b0a465618bd47cf84d293e9ca6a86
Link:
https://www.unpac.me/results/5e33ad2e-b2b7-4df9-909a-cddaa8b86158/
SH256 hash:
e5729805917100f4bef523f2df9e4bd38632f1c7be791672b7040ac0a7d2d698
MD5 hash:
bc8a90a3d22caf25da597e43929ef11e
SHA1 hash:
03875c1cbb7d2bb64d90bacd6db68d6919d92359
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/5e33ad2e-b2b7-4df9-909a-cddaa8b86158/
Parent samples :
7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
34159f583493176fa487b30736078ffbf9394ecc7b3af5386e146d0144c26117
51f74d384687c3dd221d33c81a380a3a06637cbe394e94158e1e66fc842e6e36
2d9c058afa584eb05584fb5a1012dc013a7ebd2d9331d3269ab111e44e0a2cc2
a008bbcb7eed325eb375f6e8f3e74c72048e4d159f3b996490f73ad99b76b33e
SH256 hash:
b23099d67f19d9c6ce964742e00905961882ca70a0b0a129f584aea28ff013f8
MD5 hash:
b7e99e4fea60c13bd67057766ac4e2d0
SHA1 hash:
538a9bf4737ea137a53a61196a42266ae424ec79
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/5e33ad2e-b2b7-4df9-909a-cddaa8b86158/
Parent samples :
7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
8ccd299fea6467b706e5b9108fb8e18c2dfab8fad9b324464f4ff74f067be6ad
SH256 hash:
eac546199726d5f49aedf2fa08adac99b78bb1d9ebd97687350c4643a68d588a
MD5 hash:
982686995c6eaec3fa91b879b341d5db
SHA1 hash:
fa3bd9a84c07823f858819a0ee3b2be15cc80d6e
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5e33ad2e-b2b7-4df9-909a-cddaa8b86158/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5e33ad2e-b2b7-4df9-909a-cddaa8b86158/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7df6b618671a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 7df6b618671a3611467c87986631bfeebf6508d857f51046053f5a502e4e0684

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34004/

Comments