MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bee865485ace9453a82419268cc843189c736a9581177cba94081b18e5fef963. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

a310Logger

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	bee865485ace9453a82419268cc843189c736a9581177cba94081b18e5fef963
SHA3-384 hash:	9b6575d0e213c09102de1336bde9461d84bcb31c81cad82a74fea67bdfc16a4454f30498905720fe5d21b6016c6f44e3
SHA1 hash:	b7c9d81d4bdfc904975f384d930212eeee2f95f9
MD5 hash:	50ceabefd6e93249270656327164ae30
humanhash:	cola-paris-equal-california
File name:	PAYMENT_.EXE
Download:	download sample
Signature	a310Logger Create hunting rule
File size:	1'056'256 bytes
First seen:	2022-02-21 15:37:32 UTC
Last seen:	2022-02-21 18:19:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:4bHchFJNrDVxOonshSU3APmrd76HM2cqBJwiF4zVz31PVd1zUc4Zuz:4bHchtKkshSuKIaM+Jjaz53RVd1ANW
TLSH	T18725F0DC29BA01F9F3278EBE5DDCF5B0CF79A2226105E4B9B8C51F460B40B4499D2636
Reporter	malwarelabnet
Tags:	a310logger exe

Intelligence

File Origin

# of uploads :

# of downloads :

220

Origin country :

n/a

Vendor Threat Intelligence

Detection:

A310Logger

Link:

https://www.capesandbox.com/analysis/242988/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.44053.9466.11722.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Launching a process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed replace.exe

Link:

https://www.filescan.io/uploads/6213b1e5a2660f3bb91c2aff/reports/a2874f3a-a751-4a61-8cf3-528db54ec3a9/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9c477e6f-4749-4808-b69e-d43ea8cc829c

Result

Threat name:

SpyEx a310Logger

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/943343

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected a310Logger

Yara detected AntiVM3

Yara detected SpyEx stealer

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bee865485ace9453a82419268cc843189c736a9581177cba94081b18e5fef963/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-21 15:38:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Verdict:

malicious

Result

Malware family:

n/a

Score:

4/10

Tags:

n/a

Link:

https://tria.ge/reports/220221-s23p1safa7/

Behaviour

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Drops file in Windows directory

Unpacked files

SH256 hash:

fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c

MD5 hash:

d2ec533f8b40a8224d79c87c2291f943

SHA1 hash:

f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

4dc5d6beb2bc1d6b43224724500c7fa79d468fb8226d3b91177987b260f01224

MD5 hash:

0cca1452ad7241253cec30e07611c942

SHA1 hash:

f64eb584a6a22441f87abace825ea08e6b2c217a

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

e33254e2ad4d279914a29450f98d1750a9f513fc8ddb853e0dd8346b805faa43

MD5 hash:

b597cce7bfc65e56fa69ebb7f413a33f

SHA1 hash:

7ee40df5ac783432e7c9f7be4f7ed1f286345d58

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

af06cba913f14190d9bd3f6e88194e29f1556b4b28121648161db0955c6904e7

MD5 hash:

54eb58439807f169162f7fdd74c4030c

SHA1 hash:

744df7b75f10d78551c5c6bfa245268a0dd236ab

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

53a0f3db9e37938bdf3b436f6069cb84911ac5f0cf2385c903aed0ff051397c2

MD5 hash:

fd83c63ac7117d759f837e8efb7d1cda

SHA1 hash:

689695352366dbca184f9388e2ec4c4bca1ce9b9

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

9dc7c5f5d889aebb2e0f63d5b5a7887c37a2cf002bd1aa66229bffbc5fcb4717

MD5 hash:

3a24c7f9a1246d99f52edc9251227a1e

SHA1 hash:

47a0072ffc1daa0b7537a0fbc99d67ca880560c3

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

SH256 hash:

bee865485ace9453a82419268cc843189c736a9581177cba94081b18e5fef963

MD5 hash:

50ceabefd6e93249270656327164ae30

SHA1 hash:

b7c9d81d4bdfc904975f384d930212eeee2f95f9

Link:

https://www.unpac.me/results/3fe38259-7a10-478b-af68-8b71e625e533/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/bee865485ace/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bee865485ace9453a82419268cc843189c736a9581177cba94081b18e5fef963

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/242988/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample