MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91
SHA3-384 hash: e8f37a65a91c58ea13ecb5f3843d97b6c4900b5aa54c1e34ca4776538cab6d1a871de3b2ed03b4cee488aee956bd2f26
SHA1 hash: d9c1cbbd8d3b49c0af18b754e3a217689cf828fb
MD5 hash: 5b99e078a95f02617911e2403177a8dd
humanhash: cola-mike-victor-winter
File name:NEW ORDER.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:986'624 bytes
First seen:2021-10-13 10:11:48 UTC
Last seen:2021-10-13 11:26:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:yAeoSjd75My5rWpiBvy29xzqk5rm97D5BWKjQJj+UXxeLNdU:yhddBqwxJdm97D5rjQJj+cxydU
TLSH T1D4250915F3929C11E567167364E051E391092CC7E858833DEBB7BAA318EA3805F9CBDE
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 10:52:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8d7fd1b6-c651-4f89-b509-1d249216d641

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197180/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.22480.9442.9125.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6166b0f8fd35fe780c3cf06a/reports/930df4f7-2a49-499a-9955-73a3a0c2ad74/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53ffc20f-522c-4209-8381-2b43fbb64cc2
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869496
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501924 Sample: NEW ORDER.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Detected unpacking (creates a PE file in dynamic memory) 2->40 42 7 other signatures 2->42 8 NEW ORDER.exe 6 2->8         started        process3 file4 28 C:\Users\user\AppData\Local\...\tmp6E5D.tmp, XML 8->28 dropped 30 C:\Users\user\AppData\...30EW ORDER.exe.log, ASCII 8->30 dropped 32 C:\Users\user\AppData\...nxgYjqgBbJac.exe, PE32 8->32 dropped 11 NEW ORDER.exe 3 1 8->11         started        15 schtasks.exe 1 8->15         started        17 NEW ORDER.exe 8->17         started        process5 dnsIp6 34 mkcastings.com 137.59.109.172, 49747, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 11->34 50 Writes to foreign memory regions 11->50 52 Allocates memory in foreign processes 11->52 54 Tries to steal Crypto Currency Wallets 11->54 56 Injects a PE file into a foreign processes 11->56 19 AppLaunch.exe 2 11->19         started        22 AppLaunch.exe 11->22         started        24 conhost.exe 15->24         started        signatures7 process8 signatures9 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->44 46 Tries to steal Mail credentials (via file access) 19->46 48 Tries to harvest and steal browser information (history, passwords, etc) 19->48 26 WerFault.exe 22->26         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-10-13 10:12:12 UTC
AV detection:
13 of 42 (30.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t5bkq5rtw6saxdhjbywrk3jmtd5j5p3zi3r26rkp3xecvlzftsiq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/211013-l8jgdseaa7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3044be371587d23273c95914fa89f05193827a8b8f88cb5cb2e82f566f0c1b94
MD5 hash:
1b7c8739151a799da86cd20ef4ef85ab
SHA1 hash:
f4711acce75bedee86d7f189262829b16f61101c
Link:
https://www.unpac.me/results/c874d873-b944-4c9c-9550-c1f15b0ad0e5/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/c874d873-b944-4c9c-9550-c1f15b0ad0e5/
SH256 hash:
c7601f5b58c44ca4d41a18a040b901e13b76f6f46519988e1a4e4b9dca9792d4
MD5 hash:
2850bbb12ecda37f77504ec5d245c0be
SHA1 hash:
515639b7a25317807e801c5afb7489bc43776684
Link:
https://www.unpac.me/results/c874d873-b944-4c9c-9550-c1f15b0ad0e5/
SH256 hash:
9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91
MD5 hash:
5b99e078a95f02617911e2403177a8dd
SHA1 hash:
d9c1cbbd8d3b49c0af18b754e3a217689cf828fb
Link:
https://www.unpac.me/results/c874d873-b944-4c9c-9550-c1f15b0ad0e5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9f42a87633b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe 9f42a87633b7a40b8ce90e2d156d2c98fa9ebf7946e3af454fddc82aaf259c91

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/197180/

Comments