MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 11

Intelligence 11 IOCs YARA 9 File information Comments

SHA256 hash:	90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e
SHA3-384 hash:	053871081da1665149161fe6294c0d7294b7b37055ff8f3d6cce3f8b1ef2f18924e94fdcdcdd9f3830c2d469d8131674
SHA1 hash:	3164c21a75ba0de36200d5ef1cb7ee81c2203a45
MD5 hash:	f52b4684b9c1d2a390e98098125dd1b4
humanhash:	mobile-berlin-wolfram-mississippi
File name:	SecuriteInfo.com.Win32.PWSX-gen.18116
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	1'097'216 bytes
First seen:	2022-09-22 17:03:00 UTC
Last seen:	2022-09-23 11:17:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:1zE35FZjxFmdVht9TGclUy7jfV6l53Hk1oJ9fVid6a/g5mLUqrjds118p4QCf:qFWLzTl9Na46fEb/g5ovdNm
TLSH	T10035E027D7A94F47D11667B884A0C1B063AAEF01A43EC24B6EEE7C9FB0767914251F07
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

375

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.PWSX-gen.18116

Verdict:

Malicious activity

Analysis date:

2022-09-22 17:04:51 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/678c6f7d-2cc0-417c-bbf3-9e8c86a9a028

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312410/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.18116.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/632c95a4733cf06046516de6/reports/9048f89d-95d8-4493-9aed-fb5502dd0b78/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20f437c6-ae72-41dc-b1ed-76dca71db7f3

Result

Threat name:

BluStealer, ThunderFox Stealer, a310Logg

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1075467

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected AntiVM3

Yara detected BluStealer

Yara detected Telegram RAT

Yara detected ThunderFox Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-09-22 17:04:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sdh2rc3rbys2tijbtrtxhcujd4csumyiljnmuj4xkjdbfmawespa._file

Verdict:

malicious

Result

Malware family:

blustealer

Score:

10/10

Tags:

family:blustealer collection stealer

Link:

https://tria.ge/reports/220922-vkqegafgbq/

Behaviour

Script User-Agent

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

BluStealer

Malware Config

C2 Extraction:

https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/bdaea010-0caa-4ea3-810a-4490dc21523e

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

4a1252e77f6e07c77101d5b7a4a7769d00431f097b7031972cb1eb27689b64ff

MD5 hash:

9d23d56132b1bab242c3c72cbae26b3e

SHA1 hash:

ed0423a0e35ebc4f9d13403bfaf5c9bf3d206ccc

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

b54d260788767c6e0ec3407cf4be4f54ce087d5017e2aa7f77186eb7877531b1

MD5 hash:

2e5c245bfd3bdb556b37334526f24d64

SHA1 hash:

ae30c4384cec77d0cf921591664aad097dbfb8bb

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

79a9ee301ee60e363c14f5f5cd8cd348a4dd3d80090c2f0e637b5a844230dcb8

MD5 hash:

8c6c0a4a3a2c60dd88e9c29f7946d767

SHA1 hash:

a3c429fd25c3357f6848c3b6387870f4bf18a6fd

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

2470b39032f6182252039c88199016566b0de30c6aa02163a143427afedd12af

MD5 hash:

c3a1924684ca30ed22234ce1d9111dfc

SHA1 hash:

7347706241422758c06440fd6044ae4e042b456b

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee

MD5 hash:

35cb29046968faca7f3f3b4463449b6c

SHA1 hash:

088c8c30ec1bece0a4b5bbfe3982b073f8b95598

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

5d7647d636efd66566d0a57930482006215fd669b412ba277a975855f737d9a5

MD5 hash:

bd30ec3169301b56f09e81ee7e209b9f

SHA1 hash:

83571be0ff615b1f8defb4566298a44e9daac8f6

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

SH256 hash:

90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e

MD5 hash:

f52b4684b9c1d2a390e98098125dd1b4

SHA1 hash:

3164c21a75ba0de36200d5ef1cb7ee81c2203a45

Link:

https://www.unpac.me/results/d3719f7c-96b9-42fe-bc9a-304ecbea5890/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/90cfa88b710e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/90cfa88b710e25a9a1219c67738a891f052a33085a5aca2797524612b016249e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest6 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest7 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/312410/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample