MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 17


Intelligence 17 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
SHA3-384 hash: 070e6dfc827a0723494f6142cb8ea20fa5455f0d435479b38dc8a8a6292b7c07de860b9f7fd3253297f00010d96a5688
SHA1 hash: 75047853d94cbf537b3d41fc7fa0e47209ca1150
MD5 hash: acf3f3e112f8562516fdd99ca05b4e3f
humanhash: artist-jersey-robert-foxtrot
File name:FG098765678900000879.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:926'720 bytes
First seen:2025-06-26 06:36:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:t3nbbloapq+HBsEUadC9EYw7aETvcC6NyowPlb/lmhuxYXK8TNmkHQyP4tXjXg:t3nbp5hjVCO97LmUPFlmYxeKspPcj
Threatray 3'798 similar samples on MalwareBazaar
TLSH T18F1512196A939442C17A3F7889D3C2B896783FE958A3C2D37FE63C8F3D759006642365
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 1a71c0aaaaaa0203 (10 x Formbook, 2 x RemcosRAT, 2 x SnakeKeylogger)
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
451
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FG098765678900000879.exe
Verdict:
Malicious activity
Analysis date:
2025-06-26 06:39:00 UTC
Tags:
netreactor darkcloud upx
Link:
https://app.any.run/tasks/0e9c0be6-c30c-4f04-94e7-affe955be5ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11193/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3323.4805.5464.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=685ceb94b06783b9ebd7e748
Tags:
stration spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6a4f8f8b-40e9-4d12-8708-f11ea7d8fbdf
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1723265
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1723265 Sample: FG098765678900000879.exe Startdate: 26/06/2025 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Sigma detected: Scheduled temp file as task from temp location 2->63 65 7 other signatures 2->65 7 FG098765678900000879.exe 7 2->7         started        11 oRuYmycLZ.exe 5 2->11         started        13 svchost.exe 2->13         started        process3 dnsIp4 43 C:\Users\user\AppData\Roaming\oRuYmycLZ.exe, PE32 7->43 dropped 45 C:\Users\...\oRuYmycLZ.exe:Zone.Identifier, ASCII 7->45 dropped 47 C:\Users\user\AppData\Local\...\tmp39C6.tmp, XML 7->47 dropped 49 C:\Users\...\FG098765678900000879.exe.log, ASCII 7->49 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 7->67 69 Writes to foreign memory regions 7->69 71 Allocates memory in foreign processes 7->71 73 Adds a directory exclusion to Windows Defender 7->73 16 powershell.exe 23 7->16         started        19 powershell.exe 23 7->19         started        21 RegSvcs.exe 4 7->21         started        23 schtasks.exe 1 7->23         started        75 Multi AV Scanner detection for dropped file 11->75 77 Injects a PE file into a foreign processes 11->77 25 RegSvcs.exe 11->25         started        27 schtasks.exe 11->27         started        29 RegSvcs.exe 11->29         started        31 RegSvcs.exe 11->31         started        51 127.0.0.1 unknown unknown 13->51 file5 signatures6 process7 signatures8 53 Loading BitLocker PowerShell Module 16->53 33 WmiPrvSE.exe 16->33         started        35 conhost.exe 16->35         started        37 conhost.exe 19->37         started        55 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 21->55 39 conhost.exe 23->39         started        57 Tries to harvest and steal browser information (history, passwords, etc) 25->57 41 conhost.exe 27->41         started        process9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/acf3f3e112f8562516fdd99ca05b4e3f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-06-26 06:16:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsglvb4zqpm7ju37235rhuigftt2k24d2uwvpp2uciksh63u4vka._file
Verdict:
malicious
Label(s):
darkcloudstealer
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
0399cc610cf9002129dfd6666006b3c1469fa796c19e96540aed28cb4e9689c6
a310Logger
649facade465ad92983e7f91f592eed9b04bd84bb4d2d78fcee013dd004f8758
a310Logger
7b9d010e0fe5a9696c5fb1020d8a3c9e1272e7442f4ba841c83d3b0ee001466a
a310Logger
8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
a310Logger
8fb81d1cd3412c19f02fd834de979e6651cdc5a281a99230b0f41c9d3c2848ba
a310Logger
c401d93c025614d076cdc77495da4b3e534557b4d3054ddec1321b5ed821c7b1
a310Logger
error
a310Logger
+ 3'788 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution stealer
Link:
https://tria.ge/reports/250626-hegh6abn7x/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b5f0bb9-c941-41d2-bc4d-4ed672dcdea0
Unpacked files
SH256 hash:
8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
MD5 hash:
acf3f3e112f8562516fdd99ca05b4e3f
SHA1 hash:
75047853d94cbf537b3d41fc7fa0e47209ca1150
Link:
https://www.unpac.me/results/33f78201-07cd-423c-8d0b-4c3448e5715f/
SH256 hash:
475b0d91304e69f5c5af50b9cc2ebad1fc84669cb017863c2b12b6fd21d93f54
MD5 hash:
a1f1bd4e6fbcfa1052b010a69e8daa1d
SHA1 hash:
303858c61e936aa4fbebc98be765955786695adb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/33f78201-07cd-423c-8d0b-4c3448e5715f/
SH256 hash:
16b286e265bf73d9306fdcf18b6af9aa68bcd5322cb250cb66b1b14a220c88d6
MD5 hash:
9d1364afa57b30b1f4eea413809f2d08
SHA1 hash:
66bc8a0b0e37e21dbb5fe5a2050e2522391067e1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/33f78201-07cd-423c-8d0b-4c3448e5715f/
Parent samples :
649facade465ad92983e7f91f592eed9b04bd84bb4d2d78fcee013dd004f8758
c401d93c025614d076cdc77495da4b3e534557b4d3054ddec1321b5ed821c7b1
0399cc610cf9002129dfd6666006b3c1469fa796c19e96540aed28cb4e9689c6
8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
15b92edcf23a5909fe0e197a24cf219a28478c5d4c4c129fbcf776b02ac4dfe0
54a1a02cc4666d12264ad46491d6b29ab6606b1d9bd61ba74545a0286a6d64b0
1fbbd76779084cc1c6abdc0589285d263f1cc021c7977e7f9fef6bd4db8ab892
024e0ec6668fa78bb43f5d05ae30588e82c4429fdbf36034cbdd9895aee4e458
e103bcdfd02f8bd71180c91e1556399164982ff533ebbfe1e1b5c0b3e96657a4
e5d4ea9320972fd846b5e00cb7d3b36d1877b6e80733c3846fb9a8eda3606170
b818b605201bf6f9f32df1b0a0eafb5fbb560d17b44ebcef93be9be1c607238f
b58bbe7af3c222792a084491fa7aafe763a8c8c60b7795b1b06c0011e087d23c
8925d70e07b4ecfa4193aaf2d3e72649a6d4795dc533c305208b181a38ad3213
4b41957150ba1873f1b450400ac2bf7d88c96acb6a4bf01c5ffee306598500bd
SH256 hash:
ac61d0836a70eb3130d88edd0e9f17bfa3f5f24cb40660a72242a23cf25f2e8e
MD5 hash:
6de51d5fceef96149716ce6c44faaeeb
SHA1 hash:
7c24be77b2c9d7e1e808f650c4e90994e2120067
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/33f78201-07cd-423c-8d0b-4c3448e5715f/
Parent samples :
8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554
b114241cd4a768ac555cd281761b391f7fb88db242452814929512e1fccd64fd
8b3b519dac103a0437c2e78ce3f5aa64a1551739a96dd0976b4bb79bb0529d91
5ee7ac64f54803db99273964e63d13d858c7cbe561b07393400c0cf0770815ab
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/33f78201-07cd-423c-8d0b-4c3448e5715f/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c8cba879983/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing credit card regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 8c8cba879983d9f4d37fd6fb13d1062ce7a56b83d52d57bf54121523fb74e554

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/11193/

Comments