MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 15

Intelligence 15 IOCs YARA 24 File information Comments

SHA256 hash:	b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492
SHA3-384 hash:	5a3fc4bbe3277bd9a3153168ba07ace6ab14abeb8ff8e04600d64be432643b103882927035cdf1afabadf6bb8bd3d06d
SHA1 hash:	bfcdce3ecc5da6a04c9fd4ae54fa67020c256b53
MD5 hash:	a0e16f76f7d441ec8e2ef284b2d841e9
humanhash:	west-crazy-fix-michigan
File name:	4719363800.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	1'841'152 bytes
First seen:	2025-10-29 12:02:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	24576:vMz/puYMKkKYz/gibvsYZNOey6Y8yrPkdyGr7qG9J8dw5/hcYrp:+UVJciDsYjBDocdTqG9id0JRrp
TLSH	T14185AC099AE41F53E2BA4736C4F39A847375A890FB5BE70B914434A60C963D25B433FB
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	lowmal3
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4719363800.exe

Verdict:

Malicious activity

Analysis date:

2025-10-29 12:06:27 UTC

Tags:

auto-startup purecrypter darkcloud upx

Link:

https://app.any.run/tasks/a2cb95c8-1c75-4811-97d5-3336b8d69949

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

DarkCloud

Link:

https://www.capesandbox.com/analysis/34605/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6902027b9942f1282eca0b1f

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-29T03:34:00Z UTC

Last seen:

2025-10-31T09:53:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492/results?tab=lookup

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1a06a13-819c-4f93-ac79-82b404391fc3

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1803847

Signature

Drops VBS files to the startup folder

Found malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected DarkCloud

Yara detected Generic Dropper

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492

Verdict:

inconclusive

YARA:

11 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.42 Win 32 Exe x86

Link:

https://app.malva.re/file/a0e16f76f7d441ec8e2ef284b2d841e9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492/

Threat name:

ByteCode-MSIL.Trojan.PureLogStealer

Status:

Malicious

First seen:

2025-10-29 12:03:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

30 of 37 (81.08%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wllqabdvonimk4wseixlneyoviui5qhhonlrl6acv6pdfwggasja._file

Verdict:

malicious

Label(s):

unc_loader_078

Similar samples:

error

a310Logger

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud discovery stealer

Link:

https://tria.ge/reports/251029-n7zs4aykev/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Drops startup file

DarkCloud

Darkcloud family

Verdict:

Malicious

Tags:

Win.Packed.Msilheracles-10017859-0

YARA:

n/a

Link:

https://app.threat.zone/submission/9e64768f-efba-443f-acbc-5d42f1d33943

Unpacked files

SH256 hash:

b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492

MD5 hash:

a0e16f76f7d441ec8e2ef284b2d841e9

SHA1 hash:

bfcdce3ecc5da6a04c9fd4ae54fa67020c256b53

Link:

https://www.unpac.me/results/ad051b8d-4004-42b1-ac23-be3e557d9081/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/ad051b8d-4004-42b1-ac23-be3e557d9081/

SH256 hash:

ca275e8afd7317223857a46d9696a047c3cf290ebc2c886bb06e6ec2a3a06c75

MD5 hash:

b24375f8eb3715f0b9ba54543f964f74

SHA1 hash:

620b304168ba8d40365da1c67434b2984a8e9e2e

Link:

https://www.unpac.me/results/ad051b8d-4004-42b1-ac23-be3e557d9081/

SH256 hash:

f2ce496e222926b28e2c840e66baf2f3f316c994d8dd0e202fd07977b27ce650

MD5 hash:

59716e316b505ec43f9ae70b88d7732f

SHA1 hash:

a83bf549e968f536d22a4edfbebd9b3116b6b487

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/ad051b8d-4004-42b1-ac23-be3e557d9081/

SH256 hash:

b316675fe26cfb1f2b68f90d10ff17aa528d50f42af38e5ee1d4894df169f808

MD5 hash:

d5e3efea9424677ebe130f969c7cf32d

SHA1 hash:

aeef7a524f24e54ba62cad12d06a9c34adc919a0

Link:

https://www.unpac.me/results/ad051b8d-4004-42b1-ac23-be3e557d9081/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	INDICATOR_SUSPICIOUS_Binary_References_Browsers Create hunting rule
Author:	ditekSHen
Description:	Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Rule name:	INDICATOR_SUSPICIOUS_EXE_CC_Regex Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing credit card regular expressions

Rule name:	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot Create hunting rule
Author:	ditekSHen
Description:	Detects executables using Telegram Chat Bot

Rule name:	MALWARE_Win_A310Logger Create hunting rule
Author:	ditekSHen
Description:	Detects A310Logger

Rule name:	MALWARE_Win_DarkCloud Create hunting rule
Author:	ditekSHen
Description:	Detects DarkCloud infostealer

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	ProtectSharewareV11eCompservCMS Create hunting rule
Author:	malware-lu

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vba Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	TelegramAPIMalware_PowerShell_EXE Create hunting rule
Author:	@polygonben
Description:	Hunting for pwsh malware using Telegram for C2

Rule name:	telegram_bot_api Create hunting rule
Author:	rectifyq
Description:	Detects file containing Telegram Bot API

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_DarkCloud_9905abce Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

exe b2d70004757350c572d2222eb6930eaa288ec0e7735715f802af9e32d8c60492

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/34605/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample