MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50
SHA3-384 hash: 3314e5ec9aa6f5ac0b3e2738e23d34d4a838421b636802d8c1fbb8b7b1e7cecc017c2c43b1a666794b7e8ac1dd9f6db0
SHA1 hash: 9c815e486f48d6a09e29d9d8575a6d1dd5dd9248
MD5 hash: 985dbcc380026129bcd1807ba73c1072
humanhash: london-grey-hotel-low
File name:985dbcc380026129bcd1807ba73c1072
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'413'632 bytes
First seen:2021-09-29 04:55:07 UTC
Last seen:2021-09-29 06:32:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:4Dy3BNfIol/MUJHAtd9STrlIOn4vaxosZT25oIkjH4GJyGNFa4gfnv:42NfIojZAT9C/4vaxPT5ICZJ77a4En
Threatray 1'131 similar samples on MalwareBazaar
TLSH T14C658B1C7A0A1AB6FC9DD830C9196A05BB660F0727E0BAD257DB15CB974F1FA2D04F84
File icon (PE):PE icon
dhash icon 182b4d5d84f0f0b2 (9 x Formbook, 8 x AgentTesla, 6 x RemcosRAT)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
985dbcc380026129bcd1807ba73c1072
Verdict:
Suspicious activity
Analysis date:
2021-09-29 04:56:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed08ec2c-e9c9-4505-9cb1-06173978f97b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192773/
Detection(s):
SecuriteInfo.com.Trojan.Mardom.MN.10.19522.5133.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/166ebe96-72d8-4f29-8b4c-87a64495b0b2
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/860541
Signature
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492972 Sample: lrLet2OWot Startdate: 29/09/2021 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected SpyEx stealer 2->55 57 3 other signatures 2->57 8 lrLet2OWot.exe 4 2->8         started        11 explore.exe 2 2->11         started        13 kysXiDzPmMZyVTqz.exe 1 2->13         started        15 kysXiDzPmMZyVTqz.exe 1 2->15         started        process3 signatures4 69 Writes to foreign memory regions 8->69 71 Tries to delay execution (extensive OutputDebugStringW loop) 8->71 73 Injects a PE file into a foreign processes 8->73 17 vbc.exe 3 2 8->17         started        22 cmd.exe 3 8->22         started        24 cmd.exe 1 8->24         started        75 Multi AV Scanner detection for dropped file 11->75 77 Machine Learning detection for dropped file 11->77 26 conhost.exe 13->26         started        28 conhost.exe 15->28         started        process5 dnsIp6 49 efinancet.shop 198.54.115.158, 49823, 587 NAMECHEAP-NETUS United States 17->49 43 C:\Users\user\...\kysXiDzPmMZyVTqz.exe, PE32 17->43 dropped 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->59 61 Writes to foreign memory regions 17->61 63 Allocates memory in foreign processes 17->63 67 2 other signatures 17->67 30 AppLaunch.exe 2 17->30         started        33 AppLaunch.exe 17->33         started        45 C:\Users\user\AppData\Roaming\...\explore.exe, PE32 22->45 dropped 47 C:\Users\user\...\explore.exe:Zone.Identifier, ASCII 22->47 dropped 35 conhost.exe 22->35         started        65 Uses schtasks.exe or at.exe to add and modify task schedules 24->65 37 conhost.exe 24->37         started        39 schtasks.exe 1 24->39         started        file7 signatures8 process9 signatures10 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->79 81 Tries to steal Mail credentials (via file access) 30->81 83 Tries to harvest and steal browser information (history, passwords, etc) 30->83 41 WerFault.exe 33->41         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50/
Threat name:
Win32.Trojan.Mardom
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 04:18:15 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
218e44916d241d9951bc48824cf40cbd6f7798b7e54d6feb5ec5dfbaff222b30
a310Logger
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
a310Logger
37e1958166a5cb3b5d218fc5c1ce9cb7878e4d3b50499e6670d8d22563044502
a310Logger
3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f
a310Logger
7b3395c594789515c3f42e558478069d709ae415f988419364c82bc502bc3278
a310Logger
898b6e006ded4d6f550104717d9664b27bb88d97fe0b1973684ed3f94ac6e42e
a310Logger
8e122a7da836e05e954001c5f6e2209aa5e0835ea7af0e08e324e538a075f364
a310Logger
a98672cd9e7ea3c969d9cd5d2dd1f941e8a421fc3b8a8e8cebfa2f418550a2d2
a310Logger
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
a310Logger
e6678504db885f9146a19df19cf75d3db24776c247c3eabca6f6160f57f5d68e
a310Logger
+ 1'121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210929-fkpevadgbk/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Executes dropped EXE
Unpacked files
SH256 hash:
977423cd8bd2f11f7c2cf3ec67f25bf4e4389d4852a88bdb848d7538e21e6ddf
MD5 hash:
6c88521d65a8714dd0a9e6292c419a08
SHA1 hash:
6ace1b0ac76494e6e9833028eb3732bc56953a22
Link:
https://www.unpac.me/results/d12eed65-0ae6-4ee8-9fc5-789ac44f3f41/
SH256 hash:
9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50
MD5 hash:
985dbcc380026129bcd1807ba73c1072
SHA1 hash:
9c815e486f48d6a09e29d9d8575a6d1dd5dd9248
Link:
https://www.unpac.me/results/d12eed65-0ae6-4ee8-9fc5-789ac44f3f41/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9295e25f8d2f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe 9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1647490/
Cape
Cape
https://www.capesandbox.com/analysis/192773/

Comments


Avatar
zbet commented on 2021-09-29 04:55:09 UTC

url : hxxp://18.195.133.226/q7/t/ppt-0301208730611.exe