MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a
SHA3-384 hash: 73cc6e5e1af63444b928d981c6c4fd938de9fb6ed322722ae746a23fbce9b2333efc9df1852e31e8b104b5e036c7d086
SHA1 hash: 853a1bd7edc947f437e67aabbd93f748d90e3975
MD5 hash: 314b9dee510eca2dfa045520739e6734
humanhash: mobile-bulldog-autumn-lion
File name:ExtrimHack CS2.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:76'308'480 bytes
First seen:2025-01-30 18:56:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d59a4a699610169663a929d37c90be43 (76 x DCRat, 22 x njrat, 17 x SalatStealer)
ssdeep 1572864:W6GSXPyRXckWqTaYh9iSZoX5si4I38THE0CYYOiPxR19jiw:hXPydnjTa+eGi4pTHEhYY1pnl
Threatray 14 similar samples on MalwareBazaar
TLSH T1D7F7335FD3A14D79F623733C8CAB9A63C563B68ACBB28A4E177401CD1E177C58968311
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 01034c6c6016f098 (1 x a310Logger)
Reporter aachum
Tags:exe VegaStealer


Avatar
iamaachum
https://www.youtube.com/watch?v=AoGdbqWD5I4 => https://disk.yandex.ru/d/OKSRJ0fwPlUc9w

VegaStealer C2: https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Intelligence

File Origin
# of uploads :
1
# of downloads :
545
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ExtrimHack CS2.exe
Verdict:
Malicious activity
Analysis date:
2025-01-30 19:03:08 UTC
Tags:
evasion stealer auto a310logger blackguard arch-scr
Link:
https://app.any.run/tasks/0bbdbed7-9ad2-4a14-99d3-50b6e3fcf263

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679bcc726d96a8d7e4cd26bb
Tags:
infosteal dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Loading a suspicious library
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a process
Sending an HTTP GET request
Running batch commands
Unauthorized injection to a recently created process
Stealing user critical data
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm packed packed packed packer_detected
Link:
https://www.filescan.io/uploads/679bcb8126e855d1db532a71/reports/7ad5cb6b-e226-42a5-830d-e73f88803896/overview
Verdict:
Malicious
Labled as:
Dump:Trojan.MSIL.Injector
Link:
https://www.hybrid-analysis.com/sample/d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a
Result
Verdict:
MALICIOUS
Result
Threat name:
Ades Stealer, BlackGuard, NitroStealer,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1603286
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Ades Stealer
Yara detected BlackGuard
Yara detected Nitro Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected VEGA Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603286 Sample: ExtrimHack CS2.exe Startdate: 30/01/2025 Architecture: WINDOWS Score: 100 60 freegeoip.app 2->60 62 ipbase.com 2->62 64 ip-api.com 2->64 76 Malicious sample detected (through community Yara rule) 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 Multi AV Scanner detection for submitted file 2->80 84 8 other signatures 2->84 11 ExtrimHack CS2.exe 3 2->11         started        signatures3 82 Tries to detect the country of the analysis system (by using the IP) 60->82 process4 file5 40 extrimhack_cs2_che...free_29.01.2025.exe, PE32+ 11->40 dropped 42 C:\Users\user\AppData\...\VegaStealer_v2.exe, PE32 11->42 dropped 14 extrimhack_cs2_cheats_free_29.01.2025.exe 1 361 11->14         started        17 VegaStealer_v2.exe 17 11->17         started        process6 file7 44 C:\Users\user\AppData\...\new-installer.exe, PE32 14->44 dropped 46 C:\Users\user\AppData\Local\Temp\...\zip.dll, PE32+ 14->46 dropped 48 C:\Users\user\AppData\Local\...\wsdetect.dll, PE32+ 14->48 dropped 56 129 other files (none is malicious) 14->56 dropped 20 new-installer.exe 14->20         started        50 C:\Users\user\AppData\Local\Temp\v2.exe, PE32 17->50 dropped 52 C:\Users\user\...\System.Data.SQLite.dll, PE32 17->52 dropped 54 C:\Users\user\...\System.Data.SQLite.Linq.dll, PE32 17->54 dropped 58 6 other files (none is malicious) 17->58 dropped 72 Found many strings related to Crypto-Wallets (likely being stolen) 17->72 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->74 22 v2.exe 15 112 17->22         started        signatures8 process9 dnsIp10 26 javaw.exe 23 20->26         started        66 ip-api.com 208.95.112.1, 49712, 49719, 80 TUT-ASUS United States 22->66 68 freegeoip.app 104.21.32.1, 443, 49700 CLOUDFLARENETUS United States 22->68 70 ipbase.com 172.67.209.71, 443, 49701 CLOUDFLARENETUS United States 22->70 86 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 22->86 88 Tries to harvest and steal browser information (history, passwords, etc) 22->88 90 Tries to steal Crypto Currency Wallets 22->90 signatures11 process12 process13 28 cmd.exe 26->28         started        30 icacls.exe 26->30         started        process14 32 conhost.exe 28->32         started        34 chcp.com 28->34         started        36 reg.exe 28->36         started        38 conhost.exe 30->38         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a
Gathering data
Threat name:
Win32.Trojan.Dorv
Create hunting rule
Status:
Malicious
First seen:
2025-01-30 18:57:11 UTC
File Type:
PE (Exe)
Extracted files:
39097
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2aj7efyzlq4njrsqmo5haaoh4k6swey7udqtbzptqfhkolyn3ena._file
Verdict:
malicious
Label(s):
vegastealer
Create hunting rule
unknown_loader_033
Create hunting rule
Similar samples:
1b98a1d62cb0348ca334d047f4167f8bacd8de51829284a9be50e72d010e1cb8
a310Logger
7a239a87c0785429e4ac4b42b826c7157244c565b5b97f0f43272fdbc125ec9a
a310Logger
9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193
a310Logger
a05a92482886414862165e0c79799d9e942894a0a16b384fef383965603f3a60
a310Logger
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc
a310Logger
error
a310Logger
+ 4 additional samples on MalwareBazaar
Result
Malware family:
blackguard
Create hunting rule
Score:
  10/10
Tags:
family:blackguard discovery spyware stealer
Link:
https://tria.ge/reports/250130-xlxlaazlbx/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
BlackGuard
Blackguard family
Malware Config
C2 Extraction:
https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021
Verdict:
Malicious
Tags:
Win.Trojan.Injector-6297685-1 external_ip_lookup
YARA:
n/a
Link:
https://app.threat.zone/submission/a0211070-1ca5-48ef-a6b3-dbcecf5211af
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d013f217195c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe d013f217195c38d4c65063ba7001c7e2bd2b131fa0e130e5f3814ea72f0dd91a

(this sample)

a310Logger

Executable exe c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

  
Link
https://tria.ge/250130-xg52vszkax/
  
Dropping
MD5 9f4f298bcf1d208bd3ce3907cfb28480
  
Dropping
MD5 3f62213d184b639a0a62bcb1e65370a8
  
Delivery method
Distributed via web download
  
Dropping
SHA256 c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetTempPathA

Comments