MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987
SHA3-384 hash: f08ac357424b77ee31e727c152c4ceaacb87a8aaf1c9a4a19a607b8def23287e01a418440013a0ba2e99a3e0868edabd
SHA1 hash: 235a213a7bb4fc944199ec54a04138c0c4d0150d
MD5 hash: bd047836bb8805934054d02d6d4263f6
humanhash: coffee-mississippi-helium-pizza
File name:SKQRMFE00058945.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:524'515 bytes
First seen:2021-08-24 06:22:47 UTC
Last seen:2021-08-24 13:50:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 76cb49957629b5fe0d40d13588a8762e (4 x Loki, 3 x Formbook, 2 x NanoCore)
ssdeep 12288:TKhCCCCCCCCCCCCC1g5al+tpTQTujAyfiIsdCCCCCCCCCCCCCCCCCCC/c2XvB5+5:TKnfSIT+L4M6U/QjortrtmHTdSqBV+
Threatray 5'002 similar samples on MalwareBazaar
TLSH T1B4B4123A3D8C5937F7AE74766EA551A6F5433E24B73C817260AA78138C7A90F78300B5
Reporter AndreGironda
Tags:a310logger CryptoWallets.zip exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SKQRMFE00058945.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-24 06:24:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c20b27e-ac9b-423c-970c-f2b636ccc741

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.15325.17495.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Sending a UDP request
Launching a process
DNS request
Connection attempt
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Deleting a recently created file
Searching for the window
Creating a file in the %temp% directory
Moving a file to the %AppData% subdirectory
Replacing files
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fd57264-9689-424b-b175-83006ca7051a
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837994
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470422 Sample: SKQRMFE00058945.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 Yara detected a310Logger 2->71 73 4 other signatures 2->73 8 SKQRMFE00058945.exe 1 2->8         started        11 SKQRMFE00058945.exe 2->11         started        13 SKQRMFE00058945.exe 2->13         started        process3 signatures4 75 Detected unpacking (changes PE section rights) 8->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->77 79 Maps a DLL or memory area into another process 8->79 15 SKQRMFE00058945.exe 2 15 8->15         started        19 conhost.exe 8->19         started        21 conhost.exe 11->21         started        23 SKQRMFE00058945.exe 11->23         started        25 conhost.exe 13->25         started        27 SKQRMFE00058945.exe 13->27         started        process5 dnsIp6 55 axfloo.com 69.73.183.11, 465, 49704, 49713 NTHLUS United States 15->55 57 mail.axfloo.com 15->57 59 Writes to foreign memory regions 15->59 61 Allocates memory in foreign processes 15->61 63 Sample uses process hollowing technique 15->63 65 2 other signatures 15->65 29 AppLaunch.exe 5 15->29         started        34 AppLaunch.exe 15 4 15->34         started        36 AppLaunch.exe 1 15->36         started        38 AppLaunch.exe 15->38         started        signatures7 process8 dnsIp9 49 icanhazip.com 104.18.7.156, 49702, 49703, 80 CLOUDFLARENETUS United States 29->49 51 72.245.12.0.in-addr.arpa 29->51 45 C:\Users\user\AppData\...\ocPqgcVh.exe, PE32 29->45 dropped 85 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->85 87 May check the online IP address of the machine 29->87 89 Tries to steal Instant Messenger accounts or passwords 29->89 40 ocPqgcVh.exe 29->40         started        53 72.245.12.0.in-addr.arpa 34->53 47 C:\Users\user\AppData\...\mHQJeiUg.exe, PE32 34->47 dropped 91 Tries to steal Mail credentials (via file access) 34->91 93 Tries to harvest and steal browser information (history, passwords, etc) 34->93 43 mHQJeiUg.exe 34->43         started        file10 signatures11 process12 signatures13 81 Multi AV Scanner detection for dropped file 40->81 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987/
Threat name:
Win32.Spyware.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 06:23:05 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
3abd941389c4d76a2e36c0c4468aab3b891925225f63bd5e280dd1c986311099
a310Logger
3c17d6b6676bffb1a963784f757c163023961aa29364aeaa0f78d2790ed5b073
a310Logger
60ac6dfe6cbf92960e313300091e733c0b4a2bca9f8de41f3543bc2d06ba4328
a310Logger
6b747506cd4c9f9807084784cc5c67b5b134258c059d8089c6406e3585db5275
a310Logger
7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
a310Logger
738a485429af982afe764c392327ad1940bc0e2c53e46ccebc7e7528abaa9c9d
a310Logger
8940eb56fcbcf0b9e9f1ca34b9e2671bf9f0494eed2b00254cc916378337c0bd
a310Logger
d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525
a310Logger
d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f
a310Logger
+ 4'992 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210824-p3agr7x1qj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a49ab099aa9eb6c6bc9629ca582cc8bb62de0da9bdad4c1b08448fb50d1d3126
MD5 hash:
b47ee4fcf1806eba54c7cd0c16d1a904
SHA1 hash:
9939d7353a34f65c0ec66dc48917aaeb9f9a64a5
Link:
https://www.unpac.me/results/a2a0f4c7-5843-40cf-8358-a080df19417d/
SH256 hash:
0d87368d4b42b9a17cac14e5cc28d8e29c35549b625d71f1f90a46c4957e9e1b
MD5 hash:
13642c4bd311f810a93655fe07133420
SHA1 hash:
b52ea16b628f9cf1f68399088a6a3ce757f5807d
Link:
https://www.unpac.me/results/a2a0f4c7-5843-40cf-8358-a080df19417d/
SH256 hash:
8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987
MD5 hash:
bd047836bb8805934054d02d6d4263f6
SHA1 hash:
235a213a7bb4fc944199ec54a04138c0c4d0150d
Link:
https://www.unpac.me/results/a2a0f4c7-5843-40cf-8358-a080df19417d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8fb7d7c33173/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a310Logger

Executable exe 8fb7d7c33173d49da7907bf7bec5eea3d7d7f79ea3fef39bedf3de4b22f76987

(this sample)

021d7b39db0176851ef9a4dd9493fbb913c89cc03106c7b97314354da5e2f495

  
Link
https://www.fortinet.com/blog/threat-research/fresh-malware-hunts-for-crypto-wallet-and-credentials
  
Link
https://tria.ge/210824-g1y842pdyx
Cape
Cape
https://capesandbox.com/analysis/181712/
  
Dropping
SHA256 021d7b39db0176851ef9a4dd9493fbb913c89cc03106c7b97314354da5e2f495
  
Dropping
SHA256 0d87368d4b42b9a17cac14e5cc28d8e29c35549b625d71f1f90a46c4957e9e1b
  
Dropping
SHA256 3f92c4d0fa014384ac318cb40a43850d9fe83205a8e909fdb0b492dadeee91ca
  
Dropping
SHA256 9be06b19f706980c4b758cd7d957dbb9d7da758aaba41bce6e7e95efbfb2a4c0
  
Dropping
SHA256 a49ab099aa9eb6c6bc9629ca582cc8bb62de0da9bdad4c1b08448fb50d1d3126
  
Dropping
SHA256 f991cb474ea42528278053f965223326389c3555cdd08de453c80c3d77e9b6f9
  
Delivery method
Distributed via e-mail link

Comments