MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2
SHA3-384 hash: c1fc08dd9ce81b4c6d56023c05af581f632e1015c912eb8f33fa1a9e03119fde3d1882fd0a3dcf1e77182c56cd54a9df
SHA1 hash: c01c60f47bfabda0c99f6d434e6bf772e54fa9a8
MD5 hash: 9aceea76f4ccb33286e37aa91e15cb44
humanhash: echo-batman-music-six
File name:hesaphareketi-01.pdf.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:980'480 bytes
First seen:2021-08-23 11:10:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 24576:ebb58UKrHWcxaW7lSR7BJkmjw2tjy1JiVJHPi:25+rWKaW5Stkmj381g
Threatray 5'149 similar samples on MalwareBazaar
TLSH T11C25D0B071A78A56F11F4A702538BD5403B271F3B9D69A391B56214ACFEDE983F4820F
Reporter lowmal3
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hesaphareketi-01.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-23 11:11:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fb9adc50-e346-4a0b-a621-6d0d6079bf91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181466/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Win.Packed.Pwsx-9888025-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Reading critical registry keys
Deleting a recently created file
Launching a process
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e52ddeea-14b4-42e0-a394-3d588bd99df5
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837460
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected a310Logger
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 18:05:34 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=weolswspqzs5wvomrkpvjtaba7jxyisk3sq7hx7jxtcqa5fchsza._file
Verdict:
unknown
Similar samples:
18adaff885efa34c76b1159562a33d2cb869faffebcb7af0dd56c099d98a3710
a310Logger
4f6d66cea6a8dcd4a29089e58d5adc3858445d4bba816fb2aa6ebc9cecfea68b
a310Logger
5269e07c6514d9e79439746e25f0e44d6ddcec1bc5699cc75eab982a04ba8767
a310Logger
64550a0d3d1c28b1ec50006327a707b7287997aa7ca146153440935a033ccb97
a310Logger
6f0a6315305a918cfaa7ec77275bd65a0acddbbac8b631ffe4dfb846a057a607
a310Logger
8b7c8b471a0f5e45026d07fabae3eb68f7251d066830cd68e7cf5a7fd342e13b
a310Logger
8f28eb3a5a98a63955599167bc56f778544421f9e96fbb5502caa37e954db0fc
a310Logger
a53a4c82477eada893191662cf4ab4b3f44d1da7cae9ea8a7de3f859a424292b
a310Logger
b0ceb69b666e841d84421dac62ca763d5fcc4621511527a3bbf83a72fdf5520e
a310Logger
f9dc8d66ab3eb2ecf3a55276d8389ca7b688d78cdad725fd762714e311efd02f
a310Logger
+ 5'139 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210823-ncwsrn15w6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
7e4ca6d2ac2792570a9c7a7bc8e8ed0473c2222992d2d219cc7966c2379a8c1a
MD5 hash:
4eeb54206d4ac76fed815d42f72bec1a
SHA1 hash:
b4cc3df62effb1368bc83c41e77c9f0b7480adea
Link:
https://www.unpac.me/results/33fa81a8-5e54-4bc0-b1cb-23b33e1ac5a9/
SH256 hash:
6912e4bedd1288f116e968f0a79d9797f6d6bd24d45a5f10c52e20f9d33b8c61
MD5 hash:
03bde4a82ad64c0f314985232fbca3fa
SHA1 hash:
e8d0b6339e94192eaaca32c812f914e60576dca6
Link:
https://www.unpac.me/results/33fa81a8-5e54-4bc0-b1cb-23b33e1ac5a9/
SH256 hash:
dfa145f53ebc52db6544297d288eaad80897fafa981238d573e2f9c0dabbefd6
MD5 hash:
a14c9b4541de97989176fa4f0b6d985b
SHA1 hash:
b77c357904f53b76aefb792726b6043c1b2be266
Link:
https://www.unpac.me/results/33fa81a8-5e54-4bc0-b1cb-23b33e1ac5a9/
SH256 hash:
b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2
MD5 hash:
9aceea76f4ccb33286e37aa91e15cb44
SHA1 hash:
c01c60f47bfabda0c99f6d434e6bf772e54fa9a8
Link:
https://www.unpac.me/results/33fa81a8-5e54-4bc0-b1cb-23b33e1ac5a9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b11cb95a4f86/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe b11cb95a4f8665db55cc8a9f54cc0107d37c224adca1f3dfe9bcc50074a23cb2

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181466/

Comments