MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
SHA3-384 hash: e072f632a1b5b129da2170cf3e39b242a5943da3213b82a3f1fae3a2c6eeb2221a6bae8e00a8ad6c2645499f8f1146ac
SHA1 hash: d809eb31b087e244863bd728c13a4330b11a85b0
MD5 hash: 98598520b1b8492b59d5d92225b5b6bf
humanhash: music-indigo-wolfram-glucose
File name:DS54009000.bat
Download: download sample
Signature a310Logger
Create hunting rule
File size:989'696 bytes
First seen:2025-10-21 11:37:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:1bf7UlHjfmiL6rPQAo1KTGZXOYrdpiWdWmutQpnB/8AdYXughs1voOaJzZbBP3a/:1bf7QjfmlQXYmJ2WdTn5ZYeggiNA/
Threatray 404 similar samples on MalwareBazaar
TLSH T1FB2502446A6EEF62C8B21BF40972E37113B49D4DA820D3275FE9ACDB70B6F442958743
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DS54009000.bat
Verdict:
Suspicious activity
Analysis date:
2025-10-21 11:41:55 UTC
Tags:
auto-sch-xml
Link:
https://app.any.run/tasks/c19df92e-85cc-43e0-a352-e0f00c05f530

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33624/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f770843edd081eba405730
Tags:
spawn shell hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a file
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin lolbin masquerade msbuild obfuscated overlay packed packed reconnaissance redcap regsvcs rezer0 roboski schtasks stego telegram tracker vbc vbnet
Link:
https://www.filescan.io/uploads/68f770813a79800405ee3dab/reports/13979ac8-63f6-42e5-bc89-2742542ac25d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-21T04:52:00Z UTC
Last seen:
2025-10-23T09:04:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb HEUR:Backdoor.MSIL.Remcos.gen Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb PDM:Trojan.Win32.Generic Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb HEUR:Trojan.MSIL.Taskun.sb HackTool.ReconScan.TCP.ServerRequest
Link:
https://opentip.kaspersky.com/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1/results?tab=lookup
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/886d3edb-fafc-47d9-a91e-d0b89bc18619
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799048
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected DarkCloud
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799048 Sample: DS54009000.bat.exe Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 46 showip.net 2->46 50 Malicious sample detected (through community Yara rule) 2->50 52 Sigma detected: Scheduled temp file as task from temp location 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 8 DS54009000.bat.exe 7 2->8         started        12 ZFalxV.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\ZFalxV.exe, PE32 8->38 dropped 40 C:\Users\user\...\ZFalxV.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp5DEC.tmp, XML 8->42 dropped 44 C:\Users\user\...\DS54009000.bat.exe.log, ASCII 8->44 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 vbc.exe 15 8->19         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 24 vbc.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 70 Loading BitLocker PowerShell Module 14->70 28 conhost.exe 14->28         started        30 WmiPrvSE.exe 14->30         started        32 conhost.exe 17->32         started        48 showip.net 162.55.60.2, 49690, 49691, 80 ACPCA United States 19->48 72 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 19->72 34 conhost.exe 22->34         started        74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 36 conhost.exe 26->36         started        signatures9 process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Link:
https://app.malva.re/file/98598520b1b8492b59d5d92225b5b6bf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1/
Verdict:
Malicious
Threat:
Family.DARKCLOUD
Link:
https://tip.neiki.dev/file/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-21 08:17:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x6yi63tjzguhal3bf5oa5eczt32izhlsodgfvcdbd73vkw7c2dqq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
3cbf0bb73e7973458f172a4d50391803a89ce183a17438f689d9045a683b5cc2
a310Logger
57220f31383dfe2c794ea9afd290e138b9841b7899b8cd0e73cfe8550cf0dec6
a310Logger
57d9fee83b55c914cfff325bdf7bd20a3c80aa342d83690d85146d0ac20d7847
a310Logger
9acd0901461dd314c6c2eb2d5f4e9dd8867d3bdadd50cd696a4ee809e346ca71
a310Logger
bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
a310Logger
eb27c96a09f6c81ef8baca23b0024fc1c26dd3c9b2fa0a5b728cb56e1e2425af
a310Logger
error
a310Logger
+ 394 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud discovery execution persistence stealer
Link:
https://tria.ge/reports/251021-nrf12saq6z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
DarkCloud
Darkcloud family
Unpacked files
SH256 hash:
bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
MD5 hash:
98598520b1b8492b59d5d92225b5b6bf
SHA1 hash:
d809eb31b087e244863bd728c13a4330b11a85b0
Link:
https://www.unpac.me/results/5a539bb0-e460-426a-bcc1-52908558087d/
SH256 hash:
bcde5f05976ebd5d3fee0b8f569c783a74a2133f70179af8b9d47430d950f151
MD5 hash:
9aca4664abbfde1c2d29f94e01a73283
SHA1 hash:
3e39dd3d571da90584dca04e8cb1229f4d227748
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/5a539bb0-e460-426a-bcc1-52908558087d/
SH256 hash:
9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a
MD5 hash:
0e1119a6df48b550ad1353d136297ef3
SHA1 hash:
3f89b2297c1e0a29932eb25741a51538e005d565
Link:
https://www.unpac.me/results/5a539bb0-e460-426a-bcc1-52908558087d/
SH256 hash:
1ff40856193cd41006a5bb49ed54981afdcef0bfed9e03e820c8cc1e9ee7629b
MD5 hash:
59f199c9bcc944df0fe161e8c754edb5
SHA1 hash:
5f3f76791e4eacb59c47d5d037ba7ef6d4750adb
Detections:
darkcloudstealer
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
MALWARE_Win_DarkCloud
Create hunting rule
Link:
https://www.unpac.me/results/5a539bb0-e460-426a-bcc1-52908558087d/
Parent samples :
bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1
fe80c043492a71a38e1705f7ef620c20b2029baac7702361f96a7b0242d459fc
f4226b7f95701ec62a49fc163cd74f30ae5a3665b8f39ec285b77a318ea8cdc0
5e10f1660e217f3ddbfcb25c906718afe63ba100833ffaca62b0b9fdd6a155e3
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/5a539bb0-e460-426a-bcc1-52908558087d/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bfb08f6e69c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe bfb08f6e69c9a8702f612f5c0e90599ef48c9d7270cc5a88611ff7555be2d0e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33624/

Comments