MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 14

Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash:	9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc
SHA3-384 hash:	603dcfc891e487e76afb0b9526a4f2e81b6145cd3d7a3770fa839c68daeb23b3287745dc29af251cf97e73f9291ca2b0
SHA1 hash:	4f3f7f5510599a0c02842fede2cc2b19ea6df73c
MD5 hash:	5383ccf578fed8fe968c47cc1a0b885d
humanhash:	utah-helium-jupiter-video
File name:	fatura65383,pdf.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	379'892 bytes
First seen:	2023-01-03 17:17:29 UTC
Last seen:	2023-01-03 18:30:01 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep	6144:IYa6B0+uhQM/xCGODuDnhXAHyftP6Nzb+o143fA9EniGCdY/e/8:IYw+uhQM/xV0uDn9qyftP6Nziu1uiHYR
Threatray	619 similar samples on MalwareBazaar
TLSH	T15C840785EA804184DC3E6770243E8D25561BBEFAE8B8E54E2F8D763577F31E3143614A
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	d0c0ecccd4ccc4d4 (9 x AgentTesla, 8 x SnakeKeylogger, 3 x Formbook)
Reporter	Anonymous
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

quasar

ID:

File name:

fatura65383,pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-01-03 17:18:00 UTC

Tags:

evasion stealer quasar

Link:

https://app.any.run/tasks/6b6d9436-79cf-4af2-a446-a2438cbe64eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64700435.4336.25032.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Sending a custom TCP request

DNS request

Sending an HTTP GET request

Reading critical registry keys

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

No Threat

Threat level:

10/10

Confidence:

83%

Tags:

overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63b4634d0e926711fd76a7cd/reports/e92b6b28-4948-4842-8ad4-b827f6bc0abf/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BluStealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e3c8c1a-57c4-442d-be2d-12c5a206905d

Result

Threat name:

BluStealer, SpyEx, StormKitty

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1144698

Signature

Contains functionality to detect sleep reduction / modifications

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected BluStealer

Yara detected Generic Dropper

Yara detected SpyEx stealer

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc/

Threat name:

Win32.Infostealer.BluStealer

Status:

Malicious

First seen:

2023-01-02 14:10:49 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 25 (72.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=toqcawelwhuhq4lxvs7fp7iu6zbvdhhtwwcteeiqcx3ualisx7oa._file

Verdict:

malicious

a310Logger

25292209f834f29e0739968eb50e8d021068b7558e64e2f3604657e7139605fc

a310Logger

946fa8826403d58c6694d18b89af7bf80c078f792f9aae820ac9ced395450f63

a310Logger

9e9f338d922f809d4ecac31b1b2c1bc38de325e848782308997d76eef549951f

a310Logger

c6deef7825e9fc588ee77c25398896ac695e0c02c44276fc4382218807b01e17

a310Logger

df8573405d1b9e0d3bbd88adf1f5db88f8ced9d603b78b41881bd50de1d26cc5

a310Logger

e3f0cf7effaf970e55ce7b44afa66607f8126403523b609849339d551011480f

a310Logger

fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37

a310Logger

+ 609 additional samples on MalwareBazaar

Result

Malware family:

stormkitty

Score:

10/10

Tags:

family:blustealer family:stormkitty collection persistence stealer

Link:

https://tria.ge/reports/230103-vvaf1acb56/

Behaviour

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

BluStealer

StormKitty

StormKitty payload

Malware Config

C2 Extraction:

https://api.telegram.org/bot5732817033:AAFBYIIZmJ7NuvVwD7WRcbV9qwcOqT7RpwM/sendMessage?chat_id=1638137774

Unpacked files

SH256 hash:

16a775ae7240434e0563eeb9220c0fb4d2352251d4483d08d9d9678f2b743f1c

MD5 hash:

cb51286b55d81634de24cdf0fa2bd358

SHA1 hash:

af50caf6cc4ba374d63911031491fc846ce443db

Link:

https://www.unpac.me/results/1722e48c-51bc-482b-a022-8a76465ca841/

SH256 hash:

92063179f04b406b5ab6e5aecf1a73c696fae73cc8d17fa7d51492de5c2e5471

MD5 hash:

94ba7cf9599c05d6d1a7c07be255f4ee

SHA1 hash:

501080c72e6e0931f56348618fcbc51918e7d5af

Link:

https://www.unpac.me/results/1722e48c-51bc-482b-a022-8a76465ca841/

SH256 hash:

c09affd5fddb9ca441374ffb348376e6f25b9fc4ffa7e4da29fbbdca4c32c043

MD5 hash:

f77ab6497bbf34bc635dc4f790c02ead

SHA1 hash:

416e499335a6dda176d50f532a4c7f067d1d178f

Detections:

win_agent_tesla_g2

win_masslogger_w0

Link:

https://www.unpac.me/results/1722e48c-51bc-482b-a022-8a76465ca841/

Parent samples :

a4d4f86889b389430e83bf9d7829e1c9488ac55bd4f9d226e1cc739fe43e54ec
2b661a8e53810cefbc9c2bb09e3aeea5607e6195160f3902bbf2ea7581ec82b5
836cd10659a3fca29d754c77b76c305f6a829e3f44efd9672b82c217628c49eb
66c646381997538bca27a7468229257a02527852ac897ca04d6ea52c3cad82ac
8a1902d9c0dbe388b28ef5a9c8ec4c0f1802fc6ccd43471ea337dcb3d71c81d4
308f40c19bcd4f58f5dc1e83713d91a80a2ac8f78b5e03501db556f94c946149
284ce975050009d5c7bce4ad0c02f03a4cf70bad620e10822a4f4ad65e567127
29dbbf1bffa1c271158334e05721f8a7fb76513d5ba0d8c5a5abe267cccdbe4b
e68526e8ebc0cb1342ed01317aa6966d83bea1b71b1285b55b653a512200304c
d178525a986175d484866facf95baa1573a63a1060e5a06346ee4da4932df656
d5adba5715cd10a3c9dcf11d7ab1e30834050eef7513bda558bfe39a53a364ac
6731f235ff78e22e5a0f1503542926bb707a95251b8cbd22c56fbd7fc5a8cbbf
b5141a3c6323449bc7fc031d6eb2073fcbe97754c46eef0d0d8f937b9c2fb5cb
2d127dea1f6345c2027dbf93c109f7d7758f5bb396c9d47caa593a5039c05778
2bf197104a6418c886f206755e3f599ae9b1f90cf9771be981c30f427ecb228c
3704c9065de2c596066dbca893c63b1d12b9264d62cffd92ffc49aaf919b49a5
98d37790e570afd49b7a00192019f6c9e7c84e96069da4daa1b64a6cc88695a8
4a4d5455c9e941082c8c08a96102afc9d33abc40985bfcc00b6bee8c098066fd
0aa8c16926f65f1882953c640bcd56c9ca2ed25b1d35461d07d79d47cbdc60af
04ed81e966c2ed610dea41efe3251e15ad3a9a899ae27a81c02e9950e4367306
3e1cab8195206e7bf50b34dde56656e54ab25af5fe4136f1f76fc60f7664fd79
2c38354b88fee401ab4d9ca00979e23b39237bd81f19f7c668161da5cdda6be5
3cc67ef9b1c9978bc823e77db86d092e9f1df3062c4d98fc668920b7d7534122
db8326300154e132bca39bb24e89949dbe41c9af90d9f10242dce3f9423ab094
8ae01f38de83a0fa5f9c1dfe88fbcc594b779a8e4457bbe7ec046d541696a11a
430a9487d85e5998d134ca3a890e0c6ff86101264d1fc4ae869953fac0755c3e
da67541015af6ddee5bad1432ecc3efbf85cde69c494fd1635edbae606c4a628
dda40af7e530bf5744b1ae2219bcf10b8457f18c6a8ef39e9423badaf30beec4
25c4ee0823873ad0e9fed128dcfb45ebb821fe7a17c396026b8d8be1c2400557
077c6dc697fe099f49f24e345aa6dff6ede9be899e28906f856111b5ce364b14
1488d2bb17e28439602d2b7e015761b040a36cc2951f01ec2afd6a9cb4e788e7
2165ab6a605c5ba4e532f63ceed296bafd826ba122cbc8f6422b01d737e1a126
3bb532a1c042b56a70ab6bdfc4d7ac5daf8637a34455b84f2b1e910534a8e026
fd10d0c124ace345aaace7bab115d0cd3771c61919912e141924991146fc6b37
16f2160476b2c78ec35b8fd9a4430b865cf3597c0da23795181196ea682f3df0
9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc
0cd6df14b5d34f847a65f9f9ba0137472f684ff494084283f21bbd1e27bce4f2
1ad0802a8ec7e2b02a912133947517e4b4b610426c5e278736e9de706956a97c
81d63eb754d5bf8897acfeb9762031fbe00d197c45aed84f2fe069dcd78109a1
98c1d9168df53dd9c2da28bfafb7af7a417719ab2fed404a3bacc7aeea3d5872
5d81fbfb555468e8dbcaf4eb11db5eb50a0bef70df7e8322a84fac5d6cb88977
1957dd6825a26dea37818afdad0143a9b12c2c2ec68ed0058d89b15d55c762f1

SH256 hash:

9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc

MD5 hash:

5383ccf578fed8fe968c47cc1a0b885d

SHA1 hash:

4f3f7f5510599a0c02842fede2cc2b19ea6df73c

Link:

https://www.unpac.me/results/1722e48c-51bc-482b-a022-8a76465ca841/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9ba020588bb1/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AsyncRat_Detection_Dec_2022 Create hunting rule
Author:	Potatech
Description:	AsyncRat

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many email and collaboration clients. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	malware_Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	MALWARE_Win_StormKitty Create hunting rule
Author:	ditekSHen
Description:	Detects StormKitty infostealer

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Quasar_RAT_1_RID2B54 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_DOTNET_PE_List_AV Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detecs .NET Binary that lists installed AVs

Rule name:	win_masslogger_w0 Create hunting rule
Author:	govcert_ch

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

exe 9ba020588bb1e8787177acbe57fd14f643519cf3b58532111015f7402d12bfdc

(this sample)

Dropped by

a310Logger

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample