MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 19

Intelligence 19 IOCs YARA 4 File information Comments

SHA256 hash:	b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537
SHA3-384 hash:	a18a917924ba7508ae430a1223876adeb7abc9c7362a8c247ffcca42e3e978bd80832da3a1a36f1df50dcbee76763d7e
SHA1 hash:	4ae633329c81ef8637787d444e4dae376b655c88
MD5 hash:	04ae5449ed6ec451807e3138bd1e6f10
humanhash:	london-winter-eighteen-mars
File name:	E-dekont.pdf.exe
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	814'080 bytes
First seen:	2025-10-01 15:13:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:VpfAriJ04PgGBTYqCzfQmo2fEpSFIC2T:VpfTa4PgGBUqCzI2fEpSFT2
Threatray	2'230 similar samples on MalwareBazaar
TLSH	T1D105121213AAFF0BC8921FB80D60E37647B54E98B51AE3564FFDBDDBB5263412418392
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	abuse_ch
Tags:	a310logger exe geo TUR

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

E-dekont.pdf.exe

Verdict:

Malicious activity

Analysis date:

2025-10-01 15:41:53 UTC

Tags:

stealer evasion telegram amsi-bypass ims-api generic darkcloud

Link:

https://app.any.run/tasks/3d939b2c-d44c-4581-93d9-aaf380b392a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/29783/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68dd453740b7da0b4eb94b10

Tags:

underscore extens spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Sending a custom TCP request

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP GET request

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

lolbin masquerade obfuscated packed packed packer_detected tracker

Link:

https://www.filescan.io/uploads/68dd4692044ae46c241e77a6/reports/54fbc0c7-42ee-4260-87f8-12479d3a258f/overview

Verdict:

Malicious

Labled as:

Genie.8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-01T05:04:00Z UTC

Last seen:

2025-10-03T11:21:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537/results?tab=lookup

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/155f5d17-69ab-4bf9-a8f9-39ba3d38bf71

Result

Threat name:

DarkCloud

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1787450

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Antivirus / Scanner detection for submitted sample

Found malware configuration

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses the Telegram API (likely for C&C communication)

Yara detected AntiVM3

Yara detected DarkCloud

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537/

Threat name:

ByteCode-MSIL.Trojan.SnakeKeylogger

Status:

Malicious

First seen:

2025-10-01 15:21:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wzwhio5liw33aksws63pc6klngtzf57fptkdrc47xyysvz436u3q._file

Verdict:

malicious

Label(s):

unc_loader_037

darkcloudstealer

a310Logger

95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a

a310Logger

b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

a310Logger

be1fdc37390624b0ebb5cb210c438560ebe27022a834d4374f09b3e9d17960f1

a310Logger

c5e1683a015a9b48ed1cfc4d133f0477dd1ad0be481cb18be360e035436d84b2

a310Logger

cb0444e0d6694bb3aff429734dac57c823ebbbaf08742338de107000cf092864

a310Logger

error

a310Logger

+ 2'220 additional samples on MalwareBazaar

Result

Malware family:

darkcloud

Score:

10/10

Tags:

family:darkcloud defense_evasion discovery execution spyware stealer

Link:

https://tria.ge/reports/251001-spwe6sxxdw/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Command and Scripting Interpreter: PowerShell

DarkCloud

Darkcloud family

Malware Config

C2 Extraction:

https://api.telegram.org/bot8459604418:AAEe5BJzgytThRakO5ZkWuEuVE2XzWiw0Ow/sendMessage?chat_id=8064644982

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b51d6dab-8d01-4e6b-9c54-a372ba314b4e

Unpacked files

SH256 hash:

b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

MD5 hash:

04ae5449ed6ec451807e3138bd1e6f10

SHA1 hash:

4ae633329c81ef8637787d444e4dae376b655c88

Link:

https://www.unpac.me/results/55df8d0a-a1ba-4868-a51a-ca954a8e8a74/

SH256 hash:

e052535376127e296d0432d6adf0919e1fa175de6fc41bd4210ec9a7959d4945

MD5 hash:

94036dcbed4a684b827fbce3ffd2059c

SHA1 hash:

003efcd63666696f0d5133cfdd4c5324e4764bac

Link:

https://www.unpac.me/results/55df8d0a-a1ba-4868-a51a-ca954a8e8a74/

SH256 hash:

dbdccd99b92299669a805b02df7092daf2ee435af1d447332312c2f358bb4e81

MD5 hash:

dab0b33660845fff2fb2a6ee3cb3bfcb

SHA1 hash:

798953fd8a2f491a7cc02ceecd257a95629aa675

Detections:

darkcloudstealer

INDICATOR_SUSPICIOUS_Binary_References_Browsers

INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

INDICATOR_SUSPICIOUS_EXE_CC_Regex

MALWARE_Win_A310Logger

MALWARE_Win_DarkCloud

Link:

https://www.unpac.me/results/55df8d0a-a1ba-4868-a51a-ca954a8e8a74/

Parent samples :

0ea7616d172f2d56a7c496c3bd83d6fb3fbc78ffc3e6bc43bef293160083dab2
95aa51f232eee5bdbe1e7e07b9fa92279dd95dc1168cb183d71b37ce3c561a1a
b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

SH256 hash:

f71d228c7ab15e6c6ddb32a5056cde730d2a62e64d68350e74a5d9526c6e770d

MD5 hash:

29b1e9fec6743fa7cea218bcf7fb934f

SHA1 hash:

a7f0610812a8adc2cb19089428a5d6a9cb251be5

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/55df8d0a-a1ba-4868-a51a-ca954a8e8a74/

Malware family:

DarkCloud

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/b66c743bab45/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b66c743bab45b7b02a5697b6f1794b69a792f7e57cd4388b9fbe312ae79bf537

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/29783/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample