MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92
SHA3-384 hash: b080b4f7b45cf8afb7c133d45df77a468379d16e7c2179c28e6344127bf2a93b39df9730e4239d8e53e73e37e7a73d4f
SHA1 hash: 6262999e0ad5533ab5b2a8831db85d75ef6d3488
MD5 hash: 5627f70136a7169cabb92e648311b855
humanhash: timing-yankee-delta-sink
File name:5627f70136a7169cabb92e648311b855
Download: download sample
Signature a310Logger
Create hunting rule
File size:185'856 bytes
First seen:2021-09-23 14:05:45 UTC
Last seen:2021-09-23 16:59:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:XP04JKayJq0sdYVrDLlDS2hYYRTDZHRRTxoQ5d6n3l78NZPmMSQOHTx:/vwrDLpXDpRoQ5d6n3l78NZPm5Xx
Threatray 4'776 similar samples on MalwareBazaar
TLSH T1BD049879FDFF2A85C210DE3A266DB15A56E19D18CE8B433BE0D472A47E30CC81A4651F
File icon (PE):PE icon
dhash icon 10808c9c8c869810 (3 x a310Logger, 2 x Formbook, 2 x AveMariaRAT)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5627f70136a7169cabb92e648311b855
Verdict:
Malicious activity
Analysis date:
2021-09-23 14:17:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8eab7c0-fa3f-4c6b-ad15-1a91894414f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190787/
Detection(s):
SecuriteInfo.com.W32.MSIL_Agent.BCR.genEldorado.14630.3368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3d521ad-c677-4677-bbb5-52ea243ecb8d
Result
Threat name:
SpyEx a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856582
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected SpyEx stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489012 Sample: WDZKAV4R3z Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected SpyEx stealer 2->55 57 3 other signatures 2->57 8 WDZKAV4R3z.exe 16 8 2->8         started        13 ner.exe 14 2 2->13         started        15 ner.exe 2 2->15         started        process3 dnsIp4 35 cdn.discordapp.com 162.159.129.233, 443, 49739 CLOUDFLARENETUS United States 8->35 27 C:\Users\user\AppData\Roaming\clea\ner.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\WDZKAV4R3z.exe, PE32 8->29 dropped 31 C:\Users\user\...\ner.exe:Zone.Identifier, ASCII 8->31 dropped 33 2 other malicious files 8->33 dropped 65 Writes to foreign memory regions 8->65 67 Allocates memory in foreign processes 8->67 69 Injects a PE file into a foreign processes 8->69 17 WDZKAV4R3z.exe 3 1 8->17         started        37 162.159.130.233, 443, 49796 CLOUDFLARENETUS United States 13->37 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 39 162.159.135.233, 443, 49801 CLOUDFLARENETUS United States 15->39 41 192.168.2.1 unknown unknown 15->41 file5 signatures6 process7 signatures8 43 Multi AV Scanner detection for dropped file 17->43 45 Detected unpacking (creates a PE file in dynamic memory) 17->45 47 Machine Learning detection for dropped file 17->47 49 5 other signatures 17->49 20 AppLaunch.exe 2 17->20         started        23 AppLaunch.exe 17->23         started        process9 signatures10 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->59 61 Tries to steal Mail credentials (via file access) 20->61 63 Tries to harvest and steal browser information (history, passwords, etc) 20->63 25 WerFault.exe 23->25         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-09-23 14:06:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
4a0b8f4dbb3acd1bbab1527d90921061bef21f3422250dcc41b8046b77edbd9b
a310Logger
6f0cba180dbf4115883c20ad4f8279c765d449033146d2588069f7f20a2db61e
a310Logger
84b28e876636b333e63e90bf2aa72ca80ff891c8bdebcb85200fba34d865bb91
a310Logger
a530f2e672f2804e0e69d6296ec30ece0d702eef72f38fef01f0005f789c38ab
a310Logger
aa8e727a0957fac665a28efd220b9593c43d15e3a87dff0e4be6c830c0034b48
a310Logger
b281be38a190ca97b700202096f56b29ff68740c0d40273f286e03d52685321e
a310Logger
b301185f13c9f20441ebbbcf360bdd06174cff01b5da49cee874347206a5cdcb
a310Logger
+ 4'766 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210923-refraseeap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92
MD5 hash:
5627f70136a7169cabb92e648311b855
SHA1 hash:
6262999e0ad5533ab5b2a8831db85d75ef6d3488
Link:
https://www.unpac.me/results/a9168753-3db4-460b-8f7f-74e461e657bb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c4dbc81e8e00/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe c4dbc81e8e003295ddf39d7cb73d7fc61ed7287793146b48191352e73a5c8c92

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1640876/
Cape
Cape
https://www.capesandbox.com/analysis/190787/

Comments


Avatar
zbet commented on 2021-09-23 14:05:46 UTC

url : hxxp://52.58.97.51/T67/F2/Product_Specifications_Details_200550_RFQ.exe