MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 19

Intelligence 19 IOCs YARA 13 File information Comments

SHA256 hash:	950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e
SHA3-384 hash:	159e8a94a223f57b6eaf925dfbba1cf09dc12388359850d23e2d363fe4e947c2d2c7decd6368ccde9fd23da420e53fb5
SHA1 hash:	8d8bd670413a24989ad6422a40d389dccbd0833b
MD5 hash:	c6870823edafbb7b45b6287ed813b144
humanhash:	twelve-bakerloo-orange-thirteen
File name:	shipping documents_ETD 101025.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	344'064 bytes
First seen:	2025-10-07 15:17:05 UTC
Last seen:	2025-10-09 14:52:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e886ba3b29defe534e26f1414aac478e (1 x a310Logger)
ssdeep	6144:JrzqujtG1BV/IDeOmRutX8dAkqJRIGLZkcpiKyKlzcgfrsC44CHNI2eszHnzF4yo:JrfM1B+hWqfTkbKyYrsCOHGRAzcjQ
Threatray	148 similar samples on MalwareBazaar
TLSH	T18874D627EA60612EF067C5F1E5D565676C257C362288AC17B3C29F9930325E7A8F032F
TrID	74.4% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8) 9.5% (.EXE) Win64 Executable (generic) (10522/11/4) 4.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.0% (.EXE) Win32 Executable (generic) (4504/4/1) 1.8% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	James_inthe_box
Tags:	a310logger cynthiarodri995 exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

shipping documents_ETD 101025.exe

Verdict:

Malicious activity

Analysis date:

2025-10-07 15:19:21 UTC

Tags:

telegram ims-api generic darkcloud

Link:

https://app.any.run/tasks/62afd727-7264-46b5-a748-e9ad031859e8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/30984/

Detection(s):

PUA.Win.Packer.ProtectSharewar-2

PUA.Win.Packer.ProtectSharewar-3

Verdict:

Malicious

Score:

98.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e52f21277c2bd8bc5d779a

Tags:

infosteal dropper sharew virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm evasive fingerprint hacktool masquerade stealer telegram visual_basic

Link:

https://www.filescan.io/uploads/68e52f1ff377ab2310538d15/reports/278bcc59-1c43-44ad-9aed-835e99b68691/overview

Verdict:

Malicious

Labled as:

Dacic.CDD4E759.A.Generic

Link:

https://www.hybrid-analysis.com/sample/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-07T11:31:00Z UTC

Last seen:

2025-10-09T13:14:00Z UTC

Hits:

~10000

Link:

https://opentip.kaspersky.com/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e/results?tab=lookup

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/232c756d-c4e1-4f4b-880f-d4b2b3e97b9b

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Visual Basic Visual Basic 6 Win 32 Exe x86

Link:

https://app.malva.re/file/c6870823edafbb7b45b6287ed813b144

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e/

Verdict:

Malicious

Threat:

Family.DARKCLOUD

Link:

https://tip.neiki.dev/file/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

Threat name:

Win32.Trojan.DarkCloud

Status:

Malicious

First seen:

2025-10-07 15:13:37 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 36 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=suhe6escly4ab3w35o4ueembutta7x6ws7s5fzitgbvsaxoakv7a._file

Verdict:

malicious

Label(s):

darkcloudstealer

a310Logger

950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

a310Logger

9f6746b8ac8ad681459af2dc9f3c3d81b835883ead197d162788b49615d861ed

a310Logger

a99d2210c8b7a4b9c3a57c0100741b183de45eab668bb6df1d20e28f4335f68d

a310Logger

ae0f097042a238c4047013e08ca82bff3ba379a3112848e00b6cd83dcea527a5

a310Logger

e1486fab1fe181f0a28964d147a3948cfa61d02a96b7d98749d7e354cba2be59

a310Logger

e2e23dc56f78f565b8066f8b98009f97955718ef3423dcb8dd7fa1fa5ea92e34

a310Logger

e72c5db2a50c37f1c448d3512e61b1eab148d821eee5ac3fd4b7c26901e58335

a310Logger

error

a310Logger

+ 138 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery spyware stealer

Link:

https://tria.ge/reports/251007-spegnaen31/

Behaviour

Suspicious use of SetWindowsHookEx

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Verdict:

Malicious

Tags:

stealer darkcloud_stealer trojan

YARA:

Windows_Trojan_DarkCloud_9905abce MALWARE_Win_DarkCloud MAL_EXE_DarkCloud_Stealer_Nov_12 MALWARE_Win_A310Logger

Link:

https://app.threat.zone/submission/f213f317-bc8c-466c-8bfb-6057b15edb3f

Unpacked files

SH256 hash:

950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

MD5 hash:

c6870823edafbb7b45b6287ed813b144

SHA1 hash:

8d8bd670413a24989ad6422a40d389dccbd0833b

Detections:

darkcloudstealer

Link:

https://www.unpac.me/results/1572df58-5c42-44c1-8e80-1672e0b9a2ca/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/950e4f12425e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/950e4f12425e3800eedbebb9421181a4e60fdfd697e5d2e513306b205dc0557e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	MALWARE_Win_DarkCloud Create hunting rule
Author:	ditekSHen
Description:	Detects DarkCloud infostealer

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	Windows_Trojan_DarkCloud_9905abce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/30984/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample