MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bedfd0f8f9b68917ce2f18dac37d3c629c17bd39421f3c417fb192a9414519ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bedfd0f8f9b68917ce2f18dac37d3c629c17bd39421f3c417fb192a9414519ac
SHA3-384 hash: 595d611a20bcc783e05bff6cb00acd1497b9df6656689265dc8fd90812c6a04e5e98fe91f61258edd9c34eb80f6d1e28
SHA1 hash: 899a9f1767604c124d8f38e3d80ee5a4de8a9d5b
MD5 hash: 5ed1b6adaacf59d32994937c116f2aff
humanhash: neptune-seventeen-dakota-fillet
File name:Bank Details.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:752'128 bytes
First seen:2021-09-16 13:15:47 UTC
Last seen:2021-09-21 09:58:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'472 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:KFtR+HIRS+xqDgjLvwOkZS5ffff2hMJi001xOqwree3womOAUP+CHwjEC4iK:q5xSQBwyt0mquv3woijCQz4iK
Threatray 4'237 similar samples on MalwareBazaar
TLSH T10BF4F52C7FCE5A72ED1ED4BD8E094A18BB660B036240F987D78B15CA879F0655DC7C88
dhash icon d48a9a9ab2f4a1a2 (3 x a310Logger, 2 x SpyEx, 1 x FormBook)
Reporter malwarelabnet
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank Details.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 08:08:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cbe1ed0c-5168-4172-bec0-ee638f3578f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188432/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37588739.31650.24447.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617522b6db358dd15ed92830/reports/ca10b0ba-e2a6-40a1-ac2b-93dad84518eb/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd008d37-1068-4ab7-bcb4-0304ef6a08dd
Result
Threat name:
SpyEx StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852084
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484515 Sample: Bank Details.exe Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Detected unpacking (creates a PE file in dynamic memory) 2->84 86 10 other signatures 2->86 9 Bank Details.exe 4 2->9         started        12 browser.exe 2->12         started        process3 signatures4 92 Injects a PE file into a foreign processes 9->92 14 Bank Details.exe 1 9->14         started        18 cmd.exe 3 9->18         started        21 cmd.exe 1 9->21         started        94 Multi AV Scanner detection for dropped file 12->94 96 Detected unpacking (creates a PE file in dynamic memory) 12->96 98 Machine Learning detection for dropped file 12->98 100 2 other signatures 12->100 23 browser.exe 12->23         started        25 cmd.exe 12->25         started        27 cmd.exe 12->27         started        process5 dnsIp6 78 budgetn.xyz 198.54.115.195, 49759, 587 NAMECHEAP-NETUS United States 14->78 102 Writes to foreign memory regions 14->102 104 Allocates memory in foreign processes 14->104 106 Tries to steal Crypto Currency Wallets 14->106 29 AppLaunch.exe 15 5 14->29         started        34 AppLaunch.exe 2 14->34         started        42 2 other processes 14->42 64 C:\Users\user\AppData\Roaming\...\browser.exe, PE32 18->64 dropped 66 C:\Users\user\...\browser.exe:Zone.Identifier, ASCII 18->66 dropped 36 conhost.exe 18->36         started        108 Uses schtasks.exe or at.exe to add and modify task schedules 21->108 44 2 other processes 21->44 110 Injects a PE file into a foreign processes 23->110 38 AppLaunch.exe 23->38         started        46 3 other processes 23->46 48 2 other processes 25->48 40 conhost.exe 27->40         started        file7 signatures8 process9 dnsIp10 70 icanhazip.com 104.18.7.156, 49757, 49758, 80 CLOUDFLARENETUS United States 29->70 72 15.55.7.0.in-addr.arpa 29->72 68 C:\Users\user\AppData\...\DOBTPShr.exe, PE32 29->68 dropped 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 29->112 114 May check the online IP address of the machine 29->114 116 Tries to steal Instant Messenger accounts or passwords 29->116 50 DOBTPShr.exe 29->50         started        74 15.55.7.0.in-addr.arpa 34->74 118 Tries to steal Mail credentials (via file access) 34->118 120 Tries to harvest and steal browser information (history, passwords, etc) 34->120 53 WerFault.exe 34->53         started        55 WerFault.exe 38->55         started        57 WerFault.exe 46->57         started        59 WerFault.exe 46->59         started        file11 signatures12 process13 signatures14 88 Multi AV Scanner detection for dropped file 50->88 90 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->90 61 WerFault.exe 50->61         started        process15 dnsIp16 76 192.168.2.1 unknown unknown 61->76
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bedfd0f8f9b68917ce2f18dac37d3c629c17bd39421f3c417fb192a9414519ac/
Threat name:
ByteCode-MSIL.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 01:42:54 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3p5b6hzw2erptrpddnmg7j4mkobppjziiptyql7wgjksqkfdgwa._file
Verdict:
malicious
Similar samples:
1bd85ed9bcbbe87a69f4c4764438e0df0cba8d5799d05a7bed911b5c57c33e4e
a310Logger
26bec6114e67239a103b0c33fef33c802a77703a71ef3a204222454b994dbcf4
a310Logger
4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7
a310Logger
92fc50fbd75a13621c3d64e1ded8617c4c9f92072010f0735d050c06ba73d995
a310Logger
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
a310Logger
b28ddf6937378f3b331f7f19b968e4f0f785d3799aafe32758b6be2496dd6f69
a310Logger
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
a310Logger
cba897dc82a468040a082fd6135edecb8dcdcd0f0fe1375adeaeff3262cc6504
a310Logger
de7e8838d1448ac79810b71d637b62165d32cb1932c211e1ea571bd4770b0cea
a310Logger
f5cb1fde3016b1c8c6927d64cca4a84f81987b50382c19b42c4e1b5f137360f2
a310Logger
+ 4'227 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210916-qhspladec8/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
6690e58929ca9519a9ffbc4c14af9faf6cfd4ed35f4fc295c2ed85c5a241dde6
MD5 hash:
bcdfdca4eb0145b25d56e7bbc42e026b
SHA1 hash:
2d53816ce66861474a7063a0fa808e83212616be
Link:
https://www.unpac.me/results/95a82af2-89f2-4356-b995-af1fe5428b7b/
SH256 hash:
bedfd0f8f9b68917ce2f18dac37d3c629c17bd39421f3c417fb192a9414519ac
MD5 hash:
5ed1b6adaacf59d32994937c116f2aff
SHA1 hash:
899a9f1767604c124d8f38e3d80ee5a4de8a9d5b
Link:
https://www.unpac.me/results/95a82af2-89f2-4356-b995-af1fe5428b7b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bedfd0f8f9b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bedfd0f8f9b68917ce2f18dac37d3c629c17bd39421f3c417fb192a9414519ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188432/

Comments