MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0
SHA3-384 hash: adc07392405e0ac19db669ab8dc6aed00ea3793620194f51de9b7090ca33a95795b0f3a2bc1419be1042eeda4ee14223
SHA1 hash: dfb0108fdc4ccb0fb10090a51ef1685f6efc0b53
MD5 hash: 6a07df8810ab9c4141ad36279d406b96
humanhash: skylark-cold-wolfram-wisconsin
File name:6a07df8810ab9c4141ad36279d406b96
Download: download sample
Signature a310Logger
Create hunting rule
File size:676'864 bytes
First seen:2021-08-10 16:04:37 UTC
Last seen:2021-08-10 16:53:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:bUQDjg+65t+UW19qnOVPLQz3qeeitZJ9xrhNgL+H6IBOjwPeMK:bnyWPxVPLlzI1rhqyJUWeM
Threatray 47 similar samples on MalwareBazaar
TLSH T1F1E4230A7C5852CAE4F042B31C95D43F17B2AC73E623C0AAA4F59FD53B937A685C8615
dhash icon 0020149968040000 (3 x Formbook, 2 x a310Logger)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a07df8810ab9c4141ad36279d406b96
Verdict:
Suspicious activity
Analysis date:
2021-08-10 16:08:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcb00b4d-a0b4-43e8-85c4-322c97a86958

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178024/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37375920.18955.12481.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c15ae0ed-e391-4aef-bae9-17dd25b97b7a
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830354
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462785 Sample: b6DgLtWMR3 Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 54 192.168.2.1 unknown unknown 2->54 56 icanhazip.com 2->56 58 2 other IPs or domains 2->58 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 6 other signatures 2->78 9 b6DgLtWMR3.exe 1 8 2->9         started        12 paint.exe 5 2->12         started        14 paint.exe 2->14         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\b6DgLtWMR3.exe, PE32 9->42 dropped 44 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 9->44 dropped 50 2 other malicious files 9->50 dropped 16 b6DgLtWMR3.exe 1 9->16         started        46 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 12->46 dropped 48 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 12->48 dropped process6 dnsIp7 52 bojtai.xyz 199.188.200.110, 49716, 49729, 587 NAMECHEAP-NETUS United States 16->52 64 Multi AV Scanner detection for dropped file 16->64 66 Detected unpacking (creates a PE file in dynamic memory) 16->66 68 Performs DNS queries to domains with low reputation 16->68 70 6 other signatures 16->70 20 AppLaunch.exe 15 5 16->20         started        25 AppLaunch.exe 16->25         started        27 AppLaunch.exe 16->27         started        29 AppLaunch.exe 1 16->29         started        signatures8 process9 dnsIp10 60 icanhazip.com 104.18.7.156, 49715, 49727, 49728 CLOUDFLARENETUS United States 20->60 62 35.56.3.0.in-addr.arpa 20->62 38 C:\Users\user\AppData\...\CseQcEIY.exe, PE32 20->38 dropped 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->80 82 May check the online IP address of the machine 20->82 84 Tries to steal Instant Messenger accounts or passwords 20->84 86 2 other signatures 20->86 31 CseQcEIY.exe 1 20->31         started        34 WerFault.exe 25->34         started        36 WerFault.exe 27->36         started        file11 signatures12 process13 signatures14 88 Multi AV Scanner detection for dropped file 31->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->90
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-10 07:50:27 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w3pxycbmkagko74vgdylnfknnwgzs77tkzn5fps7ddjtmpkq27qa._file
Verdict:
unknown
Similar samples:
01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901
a310Logger
06671aa1c0e3f5552f64c537c302ccb4d94dc24a6e3a5f99d7ba31bc4b94b6c7
a310Logger
1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
a310Logger
3abd941389c4d76a2e36c0c4468aab3b891925225f63bd5e280dd1c986311099
a310Logger
8940eb56fcbcf0b9e9f1ca34b9e2671bf9f0494eed2b00254cc916378337c0bd
a310Logger
99a3e2ebd1bc060c20f9d968c9fb58bca75e81a311ac8b9d0fbf7891f725fb53
a310Logger
ab7e2f3d96941792e0be9139f29d555c350123f8be701c6cd0f132c98f351407
a310Logger
d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525
a310Logger
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210810-5278fk5h96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
2d92d177af4bba43cbce95f06d9780f48b83b2287fdab631e29cc93105519cf0
MD5 hash:
6e277cecde963592208690f4dbdd37b3
SHA1 hash:
4ae6df6f37788f84577fd296803e0ed75336e926
Link:
https://www.unpac.me/results/1e00134b-83b4-4c66-855b-22ebe1580eaf/
SH256 hash:
6827736e9878245393774ed7ba27dd0b888d2403d3b28be20cfeac42f7b3b1eb
MD5 hash:
f840114b410f7653d91e1fb8e85ac56d
SHA1 hash:
f724c85697e4f48bd1c272f692861d2107db69b3
Link:
https://www.unpac.me/results/1e00134b-83b4-4c66-855b-22ebe1580eaf/
SH256 hash:
4ad7d38f178d2d435756beeba9a95612bfcac4cc0db81eaae3fdd0110e979278
MD5 hash:
99e3be6d4c48c30737fd0f1b227c7c4b
SHA1 hash:
41ba6b991c399809512aa8bcc7a6f3477e8d4644
Link:
https://www.unpac.me/results/1e00134b-83b4-4c66-855b-22ebe1580eaf/
SH256 hash:
b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0
MD5 hash:
6a07df8810ab9c4141ad36279d406b96
SHA1 hash:
dfb0108fdc4ccb0fb10090a51ef1685f6efc0b53
Link:
https://www.unpac.me/results/1e00134b-83b4-4c66-855b-22ebe1580eaf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe b6df7c082c500ca77f9530f0b6954d6d8d997ff3565bd2be5f18d3363d50d7e0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178024/
  
URLhaus
https://urlhaus.abuse.ch/url/1522434/

Comments


Avatar
zbet commented on 2021-08-10 16:04:38 UTC

url : hxxp://auto-house.info/cgt/mmii0.exe