MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
SHA3-384 hash: c1ab95b1f6bfeb7aaef565f4db85db81d434f22ed2783e1f08d9aa46585532e9dbe9c86f5d162f0fbca6008c4406bbb1
SHA1 hash: 59b23e3d3e4bf960fba68f400a6b813e2487b363
MD5 hash: b646ed8897b9acfa44fe77005f445049
humanhash: wolfram-april-happy-purple
File name:New_Request_1784512000187.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:929'792 bytes
First seen:2021-08-30 20:36:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'604 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:waLJUieifF9KBS/grsuM4gABESnZdInHDLh8ivkj2W1MW0gju:9Vd/KBUgrsuMGjdInJ8cW1
Threatray 406 similar samples on MalwareBazaar
TLSH T1F415D52C7E314672ED6D94304D220AAD7B121A07D2836D8367DA2DCEFBCBC529D469F4
dhash icon e0d8cec6c6c6cce0 (2 x SnakeKeylogger, 2 x FormBook, 2 x NanoCore)
Reporter James_inthe_box
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New_Request_1784512000187.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-30 20:37:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94a72ee0-ec57-4e12-a8d4-e0d4f3545ae9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183900/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Unauthorized injection to a system process
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4d5824cc-809b-45e8-9c5e-d89785ba85f5
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841961
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Sigma detected: Suspicious Process Start Without DLL
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474389 Sample: New_Request_1784512000187.exe Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Sigma detected: RegAsm connects to smtp port 2->77 79 7 other signatures 2->79 8 New_Request_1784512000187.exe 15 4 2->8         started        12 uspvg.exe 14 3 2->12         started        process3 dnsIp4 61 google.com 142.250.185.142, 49724, 49729, 80 GOOGLEUS United States 8->61 63 www.google.com 142.250.186.132, 49725, 49730, 80 GOOGLEUS United States 8->63 65 192.168.2.1 unknown unknown 8->65 85 Writes to foreign memory regions 8->85 87 Tries to delay execution (extensive OutputDebugStringW loop) 8->87 89 Injects a PE file into a foreign processes 8->89 14 RegAsm.exe 1 8->14         started        18 cmd.exe 3 8->18         started        21 cmd.exe 1 8->21         started        91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 23 cmd.exe 12->23         started        25 cmd.exe 12->25         started        27 RegAsm.exe 12->27         started        signatures5 process6 dnsIp7 71 bojtai.club 198.187.29.145, 49738, 49748, 49749 NAMECHEAP-NETUS United States 14->71 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->95 97 Writes to foreign memory regions 14->97 99 Allocates memory in foreign processes 14->99 103 2 other signatures 14->103 29 AppLaunch.exe 14 5 14->29         started        34 AppLaunch.exe 14->34         started        36 AppLaunch.exe 1 14->36         started        38 AppLaunch.exe 14->38         started        55 C:\Users\user\AppData\Roaming\...\uspvg.exe, PE32 18->55 dropped 57 C:\Users\user\...\uspvg.exe:Zone.Identifier, ASCII 18->57 dropped 40 conhost.exe 18->40         started        101 Uses schtasks.exe or at.exe to add and modify task schedules 21->101 42 conhost.exe 21->42         started        44 schtasks.exe 1 21->44         started        48 2 other processes 23->48 46 conhost.exe 25->46         started        file8 signatures9 process10 dnsIp11 67 icanhazip.com 104.18.6.156, 49728, 80 CLOUDFLARENETUS United States 29->67 69 54.229.13.0.in-addr.arpa 29->69 59 C:\Users\user\AppData\...\yaLyOQPi.exe, PE32 29->59 dropped 105 Tries to steal Instant Messenger accounts or passwords 29->105 107 Tries to steal Mail credentials (via file access) 29->107 109 Tries to harvest and steal browser information (history, passwords, etc) 29->109 50 yaLyOQPi.exe 29->50         started        111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->111 113 May check the online IP address of the machine 34->113 53 WerFault.exe 34->53         started        file12 signatures13 process14 signatures15 81 Multi AV Scanner detection for dropped file 50->81 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 50->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 20:35:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=znn4rhgr5utco7x66clpbw3iuioxjyyb5btopoyu7mgbeb6nmtvq._file
Verdict:
unknown
Similar samples:
028fb2b55806708dc61ab34ad360998449e5710eca9d0f85cae4987c6144acf6
a310Logger
36d0c6d5280a29e061d07ad6eac7236e063ee8023ac398bb6d3f34a3f8aacb83
a310Logger
55580a7b5ec8510e0bf498f20928778b6c7b2071a31d8332f809a7a718c66b48
a310Logger
5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70
a310Logger
71f5a0e02cfd97625bfaf4c5e48825b8b08262a7ac89f1b7f8ae82c1200205f8
a310Logger
846c3069227802dc9a79fe7ffdeaf474866d52653a620a5d03e91c23732127b8
a310Logger
b28ddf6937378f3b331f7f19b968e4f0f785d3799aafe32758b6be2496dd6f69
a310Logger
c274d34d71a4dfd793b69aeb11803f43d0f5a3e3e4117f7c34f658823bee14ff
a310Logger
ef9e853a343f1d3588eeaf60c443add28e376fd97f3bc77309b8436349b60bb3
a310Logger
fce1e5d65d8375a41cd61ec690febb3ca3d2b6745194cc7b0f54727bf48197a9
a310Logger
+ 396 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210830-7ecrse3ekx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb
MD5 hash:
b646ed8897b9acfa44fe77005f445049
SHA1 hash:
59b23e3d3e4bf960fba68f400a6b813e2487b363
Link:
https://www.unpac.me/results/95f02bdf-215d-430c-b742-7449cb0ee267/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cb5bc89cd1ed/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/cb5bc89cd1ed26277efef096f0db68a21d74e301e866e7bb14fb0c1207cd64eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/183900/

Comments