MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b
SHA3-384 hash: 922b3262f31bfb0c6feb0c12c0a0e58427fc8d241eebad42bd13291296d7968b17a25f1f75dcf1f006a8e579ac56e999
SHA1 hash: 52b8bf6a36b6f4f74718c51c356112368110807f
MD5 hash: fa78d1d0ef30fafdb9670abc29deb24e
humanhash: delaware-sweet-undress-spaghetti
File name:Btc payments copy_3000 usd_________________.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:936'960 bytes
First seen:2021-08-17 14:58:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1FDc9F3nC0Py3gAhgqeJbNo6CBN0bm1acX3x81GzE0ELQ1wBDrUYSi142+y:15bN0RKWgE0mQ1wBfUFy+y
Threatray 2'692 similar samples on MalwareBazaar
TLSH T1CC15E43C19B93A27E079D765EBE18817B1509C9F3521AD98A4DE33A70337A4274C723E
dhash icon 4d0e060f0071550c (3 x a310Logger)
Reporter cocaman
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Btc payments copy_3000 usd_________________.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 15:02:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6966687d-19f5-45fd-8190-45afc3272def

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180118/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.998-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Moving a file to the %AppData% subdirectory
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2649cbc7-e674-41ed-936b-91fa097e1446
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834684
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected a310Logger
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467110 Sample: Btc payments copy_3000 usd_... Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 12 other signatures 2->52 7 Btc payments copy_3000 usd_________________.exe 7 2->7         started        process3 file4 22 C:\Users\user\AppData\...\vaGrwRJrTr.exe, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp2A17.tmp, XML 7->24 dropped 26 Btc payments copy_...___________.exe.log, ASCII 7->26 dropped 54 Injects a PE file into a foreign processes 7->54 11 Btc payments copy_3000 usd_________________.exe 3 13 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 36 mail.sabaint.me 185.239.243.112, 49712, 49713, 49721 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 11->36 28 C:\Users\user\AppData\...\PASSWORDSNET4.exe, PE32 11->28 dropped 30 C:\Users\user\AppData\...\CREDITCARDNET4.exe, PE32 11->30 dropped 32 C:\Users\user\AppData\...\COOKIESNET4.exe, PE32 11->32 dropped 34 C:\Users\user\AppData\...\CONTACTSNET4.exe, PE32 11->34 dropped 17 PASSWORDSNET4.exe 6 11->17         started        20 conhost.exe 15->20         started        file8 process9 signatures10 38 Multi AV Scanner detection for dropped file 17->38 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->40 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->42 44 4 other signatures 17->44
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 14:59:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcdxcgpz3xj2t5dubyfqizanh7ixsn4hz645ixgf6i7nggecrmnq._file
Verdict:
unknown
Similar samples:
3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
a310Logger
413cdd0ae3d9ba60b132796a63dad08bea31d309157f5497380ad72cb3b0ae27
a310Logger
89b4067a98c617d7d81350f7b5f5e7d5c2530a766cd42c7d1cb46efac3e9d7ae
a310Logger
8a7a54c2c7952b89a9bd9898ee42e52da9aeb17e41a878f2a5236401f3e14efa
a310Logger
a46b3e0a2f558e89da3c71e7a626201824243315c37970cc34dd60162f9640a5
a310Logger
a57f84d7e89cc76408c67fbcc2c8e3c03bf98a8daa93209f3650ebffa09faabb
a310Logger
d254826085eaada20b9ab3803fdf88d2326ffcb2e90b36d3fbb129fce1cfed5a
a310Logger
e6407a39f1b2fb728a40612d6ca8e71d6dc004d9efb569f2f4d351ab693ac6f4
a310Logger
+ 2'682 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210817-gg1tyd9kxj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
bb2b5a5f22b04f33f7fa3e7fadcbce98115bb9c91421525f8d2bdb6c429f22aa
MD5 hash:
58de0dd9c7c3496ad158faff4787e00c
SHA1 hash:
1cd8724a9d26ca4f02475aa1a50931cb0d1255fd
Link:
https://www.unpac.me/results/4c66205a-6d45-4743-bd55-0a8ad39d6f8e/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/4c66205a-6d45-4743-bd55-0a8ad39d6f8e/
SH256 hash:
f229639c12e0048215002431c3c0ec9cfee6618aa7f3b28de4ec3ad8ec632b07
MD5 hash:
d76aaabfbb80ebd8953b3054ce17eb97
SHA1 hash:
80fa992d1e99b4af4280c83ab454f3e018913bc1
Link:
https://www.unpac.me/results/4c66205a-6d45-4743-bd55-0a8ad39d6f8e/
SH256 hash:
80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b
MD5 hash:
fa78d1d0ef30fafdb9670abc29deb24e
SHA1 hash:
52b8bf6a36b6f4f74718c51c356112368110807f
Link:
https://www.unpac.me/results/4c66205a-6d45-4743-bd55-0a8ad39d6f8e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/80877119f9dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

zip 31ff4a9756eab5f110bd19f1250d50cca5068054e99e73068929113aaccad0bd

a310Logger

Executable exe 80877119f9ddd3a9f4740e0b04640d3fd1793787cfb9d45cc5f23ed318828b1b

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 31ff4a9756eab5f110bd19f1250d50cca5068054e99e73068929113aaccad0bd
Cape
Cape
https://www.capesandbox.com/analysis/180118/

Comments