MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2
SHA3-384 hash: dbd232c1bd2813f4cb3035108be5d698ae038aff4e94e4025376104b16dd64ad054fbb93c6fdd67fe9204315a1583b42
SHA1 hash: 1d1acaa521f0b04301d350831c97d0d4cc34e2f7
MD5 hash: 0cf7d7bfef7f90ec7738d843de48f8b0
humanhash: fourteen-ten-carolina-quiet
File name:SecuriteInfo.com.Variant.Barys.42241.11208.10553
Download: download sample
Signature a310Logger
Create hunting rule
File size:894'464 bytes
First seen:2022-08-04 08:56:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:A9N3yknYBI7DND/UPt2XA7qm5+Ti01nv:qpHYBIXlUVgOITi01n
Threatray 5'702 similar samples on MalwareBazaar
TLSH T1171501D75ACD25F2E1F6AC77655760710932563B6AA20337717FBB232A2F6C30E21A01
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter SecuriteInfoCom
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Barys.42241.11208.10553
Verdict:
Malicious activity
Analysis date:
2022-08-04 08:58:22 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/6995849d-e62f-426e-a744-39cbca1144f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/296406/
Detection(s):
SecuriteInfo.com.Variant.Barys.42241.11208.10553.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Creating a window
Reading critical registry keys
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62eb89e06336465f2a0e3925/reports/15854105-1739-4146-a7e6-e17ee74cbf23/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a768a778-dd55-4452-aaf6-e8c8b3f06ae1
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1046139
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-08-04 08:57:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
24 of 26 (92.31%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sg7gewdgrodterhmaaer4zrug7n3bft64mkamu4dozla3yvzudra._file
Verdict:
malicious
Similar samples:
068a5a6741c0bf5326cdce7e406c5273340ad1c9f4371fadeb88bf794f1d91e6
a310Logger
06fae3abb10a6b3cbd8bd6864110093b43d9a50e14e874fac48109cc895ab65b
a310Logger
5475992d3304669f1b85ae554b2b8d894410e92ec46642e1af9c1b6841ca6724
a310Logger
60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3
a310Logger
72a787a3953e4b74aa9c88834e25af4c5f85a02896372e467a06bb092ebf6382
a310Logger
a47f1b1a2995865a081e270569e3cb0857d3af3759c2e06b72e3f418e9611a87
a310Logger
b60b11f2b52b6dc83a2980d3e08d4b0f9795f9516105ce9c76379dfb60668c32
a310Logger
c8f753f0d1a4d979c58a3abcb33ab41724c33ca7dc49390bab4bcd50803aacdf
a310Logger
f7a414bec8c4c42c424400312c878ff1fa538ceaf526c73eaf7c3fcff83f6dab
a310Logger
f9da2b0b4faa792adade4a1bb0557486073ff2ac52c6c4271439d99419ac5f28
a310Logger
+ 5'692 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/220804-kv3gnsebfk/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5449766717:AAHzRorvKI5URgvleGHlq6ZvqElY68-XL18/sendMessage?chat_id=1293496579
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
dedfb35e497cd8b00d4bc411922ae50f9ef2cf50dfb922b4714eede2ec9ff2cb
MD5 hash:
b9088cca0b04b2331e2a24a025a2f668
SHA1 hash:
e7bf42606fae2dc19818a285b679517244facede
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
3f1c18fd3fae5230a2c004f2240acd04deca92ae1c4e09ced1b0ee15fe2ae456
MD5 hash:
5becc7c352772cfb361fdf2e1d7665a7
SHA1 hash:
9bb8e58283dddee783b5382a31c01dd7369a8dff
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
a6acfe617040a5005be0d1675756dc9f09596d3bb2bb3ebc8a2c6881b8c4cfd7
MD5 hash:
db843358b89f4074346cab346720ab06
SHA1 hash:
94d77a5f2d66f20baf557ad30c3ab284665980d9
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
6a4296d8bd7b51d07109fe580797e0f13a952f779491e6f6d076c912111d0e3a
MD5 hash:
929d16d2c6e298f3ace32fc12e4ad83c
SHA1 hash:
867adac724cd83fd4750f0b183684e26b6245ee0
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
658142bdeec19fb3ff0556a38a592458b7f005f69d11a39c34d67fd9efe6222c
MD5 hash:
441e8511c4bd646d55c6001a99057c8d
SHA1 hash:
25d14c05535d580bf13a2dcc48bf63eda296ea14
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
ccdd35d300f578d210da5d90e57961a206f2a89d8c47be240bbf7ecf14f64559
MD5 hash:
1972b997c83051cf64daf024ba83c1a0
SHA1 hash:
335d9a7a896d16f0ae0e62fc302d48094949c29b
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
SH256 hash:
91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2
MD5 hash:
0cf7d7bfef7f90ec7738d843de48f8b0
SHA1 hash:
1d1acaa521f0b04301d350831c97d0d4cc34e2f7
Link:
https://www.unpac.me/results/69f606b5-fdda-44c9-9e84-e69c04c34d41/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91be6258668b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/296406/

Comments