MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bce90a7e2c725cf35eb9bea064dd047588eb3fc41224be362e876e1b399cbe80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bce90a7e2c725cf35eb9bea064dd047588eb3fc41224be362e876e1b399cbe80
SHA3-384 hash: d855ff2f2f51313b91f50df07830897b246d9a62c6ed0b091000b83494ff7b52d62b14576a5e046a11a31e2dcc12fd44
SHA1 hash: 6700f43d20e33b6fbe76383a5314300abfa14fd1
MD5 hash: 8788f11b9bfb489ab520f7bbb16a0ae5
humanhash: spaghetti-delaware-chicken-five
File name:IMG_002023400762.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:25'088 bytes
First seen:2021-10-07 15:33:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:KDWhoppa1J9thNd2+14jT8CQcjKHIrwZWAQb17MOE0S0pXsUkTDLotU5GLL1WzNt:KLpSJ9thSX3VQcMIMZgbhMdU/QI/6
Threatray 4'884 similar samples on MalwareBazaar
TLSH T1FBB20A11E284C921D4B77A3A5C6582B80529FE6BF863D71F25DC3F1E7DF23450392924
File icon (PE):PE icon
dhash icon 10c2888c8c88c210 (11 x a310Logger, 6 x SnakeKeylogger, 4 x AgentTesla)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195898/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
Connection attempt to an infection source
Sending a TCP request to an infection source
Launching a process
Creating a file in the %temp% directory
Query of malicious DNS domain
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
60%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615f136f98a6280f3933bfb6/reports/20953b80-9fd4-4ce2-8a77-6f94a0ba5cc4/overview
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f19e4573-ea5f-4ebe-b707-97439a9529e3
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866524
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498953 Sample: IMG_002023400762.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected SpyEx stealer 2->50 52 3 other signatures 2->52 7 IMG_002023400762.exe 15 9 2->7         started        12 luKOoyYKDRFbjvLj.exe 3 2->12         started        14 luKOoyYKDRFbjvLj.exe 14 3 2->14         started        process3 dnsIp4 44 store2.gofile.io 31.14.69.10, 443, 49755, 49833 LINKER-ASFR Virgin Islands (BRITISH) 7->44 34 C:\Users\user\...\IMG_002023400762.exe, PE32 7->34 dropped 36 C:\...\IMG_002023400762.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\...\IMG_002023400762.exe.log, ASCII 7->38 dropped 40 C:\Users\user\AppData\Roaming\...\bmo.exe, PE32 7->40 dropped 62 Creates an undocumented autostart registry key 7->62 64 Writes to foreign memory regions 7->64 66 Allocates memory in foreign processes 7->66 68 Injects a PE file into a foreign processes 7->68 16 IMG_002023400762.exe 3 2 7->16         started        21 conhost.exe 7->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        file5 signatures6 process7 dnsIp8 42 efinancet.shop 198.54.115.158, 49813, 587 NAMECHEAP-NETUS United States 16->42 32 C:\Users\user\...\luKOoyYKDRFbjvLj.exe, PE32 16->32 dropped 54 Multi AV Scanner detection for dropped file 16->54 56 Detected unpacking (creates a PE file in dynamic memory) 16->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->58 60 4 other signatures 16->60 27 AppLaunch.exe 16->27         started        30 AppLaunch.exe 2 16->30         started        file9 signatures10 process11 signatures12 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->70 72 Tries to steal Mail credentials (via file access) 27->72 74 Tries to harvest and steal browser information (history, passwords, etc) 27->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bce90a7e2c725cf35eb9bea064dd047588eb3fc41224be362e876e1b399cbe80/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-04 11:20:51 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtuqu7rmojopgxvzx2qgjxieoweowp6ecisl4nroq5xbwom4x2aa._file
Verdict:
malicious
Similar samples:
2be3ed94c370d790f744031f9836daf27b4caf7799d3dfbf85f7da2ccb0f4463
a310Logger
37e1958166a5cb3b5d218fc5c1ce9cb7878e4d3b50499e6670d8d22563044502
a310Logger
683de9f06f811629c5ff539256f0674ddcf03a60baa60783e8ef2dc1496d8b7c
a310Logger
6c61d18fadb92cf6235f0d9f708f876f8b8bcaaa6eb7d66d5ed515a60a317d94
a310Logger
9295e25f8d2faace30d36a7497aa48df5bc44de15cee22fc6b1e4233e3c50c50
a310Logger
977435f97d34304e812ea3da5ae1fd0586d87a4b159bbcf89b2343611a4b5c6d
a310Logger
bd6387e217bb54683a5300b0bcbb88e346f2f4b7a8cbfae9f95ae6bb8b3a798a
a310Logger
d3be6e0f0d5596c000d14f103f1c773002c934753bc21ebebdb1ee2a8882d323
a310Logger
d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525
a310Logger
f06b116d8af2db4ae345ed7c9596865c3476d401ff7d52b0a45478847f053ff1
a310Logger
+ 4'874 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/211007-szsf9scghn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
bce90a7e2c725cf35eb9bea064dd047588eb3fc41224be362e876e1b399cbe80
MD5 hash:
8788f11b9bfb489ab520f7bbb16a0ae5
SHA1 hash:
6700f43d20e33b6fbe76383a5314300abfa14fd1
Link:
https://www.unpac.me/results/33bd6a6c-10c4-417e-8599-74fe1d3e29a8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bce90a7e2c72/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/bce90a7e2c725cf35eb9bea064dd047588eb3fc41224be362e876e1b399cbe80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195898/

Comments