MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73
SHA3-384 hash: 160ec4354d7c729939f93c8233d39798b5473cdf1ba2ecccd9793c934f707dfc656a74ef7eabfa11f800e31e8fc9bbb6
SHA1 hash: bfaef6595b41a0a787ac9186ce47b0c59306d7f4
MD5 hash: 4e3f9aaa521bd82e3b2902d528e51685
humanhash: paris-solar-network-thirteen
File name:4e3f9aaa521bd82e3b2902d528e51685
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'366'528 bytes
First seen:2021-09-07 15:01:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:TLpXk+b6umJBDAJeqtgVsd/fgYAiDwnKDv8A1BUoybc:TLfqBDAfgWdHrAcwKb8afyb
Threatray 4'829 similar samples on MalwareBazaar
TLSH T13055AD322BED4D05E6DE0B74D070763093B5BC1B66AACBCAD848BA6E5C33781A451377
dhash icon b032cc442c8cd290 (6 x a310Logger, 2 x Formbook, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4e3f9aaa521bd82e3b2902d528e51685
Verdict:
Malicious activity
Analysis date:
2021-09-07 15:02:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3fc85b4b-b20b-4631-a27c-c0961bd656dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186076/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.16344.5451.29568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Sending a UDP request
DNS request
Unauthorized injection to a system process
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a96c11e9-9114-4cdb-ab5f-15e2e9e84bb6
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846718
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses powershell Test-Connection to delay payload execution;
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 479149 Sample: 0HsDg7f3eG Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 63 youtube.com 2->63 65 outlook.com 2->65 67 2 other IPs or domains 2->67 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 3 other signatures 2->91 9 0HsDg7f3eG.exe 9 2->9         started        signatures3 process4 file5 55 C:\Users\user\AppData\Roaming\...\pade.exe, PE32 9->55 dropped 57 C:\Users\user\AppData\...\0HsDg7f3eG.exe, PE32 9->57 dropped 59 C:\Users\...\0HsDg7f3eG.exe:Zone.Identifier, ASCII 9->59 dropped 61 C:\Users\user\AppData\...\0HsDg7f3eG.exe.log, ASCII 9->61 dropped 103 Creates an undocumented autostart registry key 9->103 105 Writes to foreign memory regions 9->105 107 Uses powershell Test-Connection to delay payload execution; 9->107 109 Injects a PE file into a foreign processes 9->109 13 0HsDg7f3eG.exe 9->13         started        17 0HsDg7f3eG.exe 9->17         started        19 powershell.exe 17 9->19         started        21 5 other processes 9->21 signatures6 process7 dnsIp8 73 budgetn.xyz 198.54.115.195, 49721, 49727, 49728 NAMECHEAP-NETUS United States 13->73 115 Tries to steal Crypto Currency Wallets 13->115 23 AppLaunch.exe 13->23         started        28 AppLaunch.exe 13->28         started        30 AppLaunch.exe 13->30         started        32 AppLaunch.exe 13->32         started        117 Multi AV Scanner detection for dropped file 17->117 119 Performs DNS queries to domains with low reputation 17->119 121 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->121 75 192.168.2.1 unknown unknown 19->75 77 outlook.com 19->77 34 conhost.exe 19->34         started        79 youtube.com 21->79 81 google.com 21->81 83 2 other IPs or domains 21->83 36 conhost.exe 21->36         started        38 conhost.exe 21->38         started        40 conhost.exe 21->40         started        42 2 other processes 21->42 signatures9 process10 dnsIp11 69 icanhazip.com 104.18.6.156, 49718, 80 CLOUDFLARENETUS United States 23->69 71 164.204.10.0.in-addr.arpa 23->71 53 C:\Users\user\AppData\...\oGDLfNMM.exe, PE32 23->53 dropped 93 Tries to steal Instant Messenger accounts or passwords 23->93 95 Tries to steal Mail credentials (via file access) 23->95 97 Tries to harvest and steal browser information (history, passwords, etc) 23->97 44 oGDLfNMM.exe 23->44         started        99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->99 101 May check the online IP address of the machine 28->101 47 WerFault.exe 28->47         started        49 WerFault.exe 28->49         started        51 WerFault.exe 30->51         started        file12 signatures13 process14 signatures15 111 Multi AV Scanner detection for dropped file 44->111 113 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->113
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-06 16:01:11 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sci7rmsggx6gqzskqd3zata7ky2eybcvcomwquvfelk5ukuqt5zq._file
Verdict:
malicious
Similar samples:
35d443578b1eb0708d334d3e1250f68550a5db4d630f1813fed8e2fc58a2c6d0
a310Logger
4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
a310Logger
6f0cba180dbf4115883c20ad4f8279c765d449033146d2588069f7f20a2db61e
a310Logger
b281be38a190ca97b700202096f56b29ff68740c0d40273f286e03d52685321e
a310Logger
b301185f13c9f20441ebbbcf360bdd06174cff01b5da49cee874347206a5cdcb
a310Logger
d6390558e6f860877f95e6cf83ebc2fa028da6f469d75f73b27afe92900fbc7f
a310Logger
f4b224dc05210c0020c5e2f736c3132de81057918783ed65e56add163f92d552
a310Logger
+ 4'819 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210907-sefxqsgaeq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7315433f7a481331faa99e9326bace834936d03554c13ab20b5e19645b38ed6b
MD5 hash:
8981b89c18981126bb4aa7dfc00154aa
SHA1 hash:
f7e74cd65a88d90b7ef299026bba3b539850eeb2
Link:
https://www.unpac.me/results/c8c1a9e7-51eb-4893-836b-189dbd608cdd/
SH256 hash:
bd7d7ef3f4113c0456c201778c2b5c447b6f2e300ead735d69b347f2209449d8
MD5 hash:
bc4214e3078fa73d22c69da85e65bd1e
SHA1 hash:
3732c32e2f9fdd8636101dde63882d718cc3ebc9
Link:
https://www.unpac.me/results/c8c1a9e7-51eb-4893-836b-189dbd608cdd/
SH256 hash:
96f5f7da34d6ed55d904f0515ccbf7a90b62cee4a76ad82255773b89b217d25b
MD5 hash:
f4383828da0655eceb4a384f514f23ce
SHA1 hash:
4551acf85780e33f9d01a7aa93680b751500dbd5
Link:
https://www.unpac.me/results/c8c1a9e7-51eb-4893-836b-189dbd608cdd/
SH256 hash:
119bb5695636a7924d7d26669c023d40d083254f76eed2ead3c4f95630f07830
MD5 hash:
22c310c9fa9a44358c722f0b189c8e86
SHA1 hash:
245360a9807b103509ff95944ee664d4fc47ba88
Link:
https://www.unpac.me/results/c8c1a9e7-51eb-4893-836b-189dbd608cdd/
SH256 hash:
9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73
MD5 hash:
4e3f9aaa521bd82e3b2902d528e51685
SHA1 hash:
bfaef6595b41a0a787ac9186ce47b0c59306d7f4
Link:
https://www.unpac.me/results/c8c1a9e7-51eb-4893-836b-189dbd608cdd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 9091f8b24635fc68664a80f7904c1f56344c045513996852a522d5da2a909f73

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1599923/
Cape
Cape
https://www.capesandbox.com/analysis/186076/

Comments


Avatar
zbet commented on 2021-09-07 15:01:42 UTC

url : hxxp://wingsteck.com/ts/Y/BLT-750108002.exe