MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa
SHA3-384 hash: f10d7619c249129319b9fd6e20c07f2baf769f3f8e0b8b4fb0eaf90f5bd3667b38c1151bd540370b2173aabb064be712
SHA1 hash: 67ca4066cd527edc67c4d690d49c1a5eacd8119d
MD5 hash: 6d4c80ae0bcc986dbd7439993ae10e54
humanhash: georgia-sink-steak-alanine
File name:quote request.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:774'144 bytes
First seen:2022-12-10 04:18:55 UTC
Last seen:2022-12-10 05:30:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:0Hklt3dwkiuzina39XGzuBPBWFmH4G+oipT3yzf0VO3yfg98tUNGmOev:LZqCinc9XiulBWQH4Roipa0VO32QyadJ
Threatray 3'271 similar samples on MalwareBazaar
TLSH T130F4227D2368864FDEC947FA7894008203F0DE657583E3EF8D4EB4A68D393A9DE46161
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Anonymous
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344859/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63982147.15034.12556.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639408b8f6e448d42df7e8ad/reports/6a681826-41a8-47bb-9720-0e11f67448c2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/595d278a-cfd5-4d83-9c6e-47bcad816d24
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1131793
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected AntiVM3
Yara detected BluStealer
Yara detected Telegram RAT
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-01 04:08:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wc2dbsbmyv2depjy2zjwkvaeolz7bzqthxftnyqo5h6pksbxnh5a._file
Verdict:
malicious
Similar samples:
1a4d18bc01f4c5857b32c7ae2ffe7ec90ff5d4e4bf312f8048bb85706f5fbff5
a310Logger
3402c28f8bb37b47cf2868b16ca9fd851f7004458a93c17802c04cf2064909eb
a310Logger
6c912191a6853ca9717c37053a4ab7014d6980e48d846a8c777e7ee056cf4a56
a310Logger
6d4991fcf138200aacef788de1bdef481b0bef6200652e64348285614c2d7f20
a310Logger
7d2679d585d5fd6b476830fea23e3d0ddc831476e40464cee74743a2c853b81e
a310Logger
8c575aa5e93a77f506411780e84f57617a784605557c36053bc3535306509f03
a310Logger
a99ad6c50cd5ec1409151d618216ea2616d10d8e3959f8f3067b257b172efa4b
a310Logger
aaf048e30d5f843407f59bff320b992295396dc39dfb7bc6ca1c71f80897fecd
a310Logger
+ 3'261 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection stealer
Link:
https://tria.ge/reports/221210-exhx6aeh63/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5450700540:AAEJyEEV8BKgYUKmnCPZxp19kD9GVSRup5M/sendMessage?chat_id=5422342474
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/69bfc550-9478-4408-ab16-42367b0269fa
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
b36599dcd99513a7bba27188484383ae45abeb582f82a07dda33c1b7c1f37247
MD5 hash:
6aae3634222b3756cac93189342a54ab
SHA1 hash:
04d19c67981a158ff5950d421519ed279fa7dc00
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
a28d2e63b09f39bbb8c10b5f3d5822bb4766f41051c9a3994eb34390b9e8622a
MD5 hash:
01b2943dbcbdf1e1acd323cca6a5498a
SHA1 hash:
ead525d7bdb4c8c315e4c5d3b0f2580e0648aa96
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
19d9cb88277d44a9c46eb9f93df49c272f117da901d0335f4a7f2a21925c008d
MD5 hash:
bffbc4d73b68ad15fd074ba8789f5394
SHA1 hash:
941036bd8ccc7e1ae599e54dbfd6ba8426ce344c
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
75ede8ba0159ad518d354050dc6cb8ff4d2305a8bebc75f4b7a416c8258117ad
MD5 hash:
0fdf1ac784682099b87118c84e809eac
SHA1 hash:
3d5d13c29f54ba484832f488ba270a0fb7b24218
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
f00ef435c539120affba00ee786191ec8ce669a23b616de7ccc21ccd3bc6e992
MD5 hash:
557af22ee13a6957c803946047b5bab0
SHA1 hash:
2b524058109e019280c971710cd3e3fa20814d01
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
SH256 hash:
b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa
MD5 hash:
6d4c80ae0bcc986dbd7439993ae10e54
SHA1 hash:
67ca4066cd527edc67c4d690d49c1a5eacd8119d
Link:
https://www.unpac.me/results/a4a4a0da-e8e0-4273-93ba-d8d8f251edd2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe b0b430c82cc574323d38d65365540472f3f0e6133dcb36e20ee9fcf5483769fa

(this sample)

  
Dropped by
a310Logger
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/344859/

Comments