MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525
SHA3-384 hash: d54863e38c685fdb1b7136ef4ef04531ea30441d6a07184dc09bf34cb609cb0ab86e60379a5a5ac9cf4d77bc2ac53b30
SHA1 hash: 4661b629995f3c4110b66afd4df827870923e47c
MD5 hash: 78b2374d9d1810345aa8633ba8282a57
humanhash: table-fruit-chicken-vegan
File name:78b2374d9d1810345aa8633ba8282a57
Download: download sample
Signature a310Logger
Create hunting rule
File size:758'768 bytes
First seen:2021-08-10 16:04:56 UTC
Last seen:2021-08-10 16:53:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+4JQ/AKt4AXV5nLrrxeK0wBl7zCzbJqmyegzGHFWGpqqENvK0rCIkEytW3spU1:9J+tBXV5n506CzvgyHUu7ENy0rdkEk61
Threatray 955 similar samples on MalwareBazaar
TLSH T12CF41252AA57D222CAC88977C0C76C7C07A2EE437626C55336CE3F093536BA97DC990D
dhash icon 27f0d8d4d4d8f027 (16 x AgentTesla, 6 x NanoCore, 5 x DarkCloud)
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
78b2374d9d1810345aa8633ba8282a57
Verdict:
Suspicious activity
Analysis date:
2021-08-10 16:07:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c13d0e79-7bb5-42a2-965d-e1e74db03bbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178026/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46765249.16624.28803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/92739295-7751-4b58-b85d-db437288d803
Result
Threat name:
StormKitty a310Logger
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/830351
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 462779 Sample: k052XLjAHg Startdate: 10/08/2021 Architecture: WINDOWS Score: 100 49 icanhazip.com 2->49 51 192.168.2.1 unknown unknown 2->51 53 2 other IPs or domains 2->53 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 Multi AV Scanner detection for submitted file 2->89 93 4 other signatures 2->93 9 k052XLjAHg.exe 1 8 2->9         started        13 paint.exe 2->13         started        signatures3 91 May check the online IP address of the machine 49->91 process4 file5 39 C:\Users\user\AppData\Roaming\...\paint.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\k052XLjAHg.exe, PE32 9->41 dropped 43 C:\Users\user\...\paint.exe:Zone.Identifier, ASCII 9->43 dropped 47 2 other malicious files 9->47 dropped 105 Writes to foreign memory regions 9->105 107 Injects a PE file into a foreign processes 9->107 15 k052XLjAHg.exe 1 9->15         started        19 k052XLjAHg.exe 9->19         started        45 C:\Users\user\AppData\Local\Temp\paint.exe, PE32 13->45 dropped signatures6 process7 dnsIp8 63 bojtai.xyz 199.188.200.110, 49744, 49755, 587 NAMECHEAP-NETUS United States 15->63 65 Writes to foreign memory regions 15->65 67 Allocates memory in foreign processes 15->67 69 Tries to steal Crypto Currency Wallets 15->69 71 Injects a PE file into a foreign processes 15->71 21 AppLaunch.exe 15 5 15->21         started        26 AppLaunch.exe 4 15->26         started        28 AppLaunch.exe 1 15->28         started        30 AppLaunch.exe 15->30         started        73 Multi AV Scanner detection for dropped file 19->73 75 Detected unpacking (creates a PE file in dynamic memory) 19->75 77 Performs DNS queries to domains with low reputation 19->77 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->79 signatures9 process10 dnsIp11 55 icanhazip.com 104.18.7.156, 49742, 49753, 49754 CLOUDFLARENETUS United States 21->55 57 57.122.6.0.in-addr.arpa 21->57 35 C:\Users\user\AppData\...\ZFjGoAVN.exe, PE32 21->35 dropped 95 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->95 97 May check the online IP address of the machine 21->97 99 Tries to steal Instant Messenger accounts or passwords 21->99 32 ZFjGoAVN.exe 21->32         started        59 104.18.6.156, 49743, 80 CLOUDFLARENETUS United States 26->59 61 57.122.6.0.in-addr.arpa 26->61 37 C:\Users\user\AppData\...\MNpneSqW.exe, PE32 26->37 dropped 101 Tries to steal Mail credentials (via file access) 26->101 103 Tries to harvest and steal browser information (history, passwords, etc) 26->103 file12 signatures13 process14 signatures15 81 Multi AV Scanner detection for dropped file 32->81 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 18:18:01 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
01dccd80e7c6948853bacb394d25995d5886f84c05bfbb506b4c5862d8221901
a310Logger
1c29ee414b011a411db774015a98a8970bf90c3475f91f7547a16a8946cd5a81
a310Logger
3abd941389c4d76a2e36c0c4468aab3b891925225f63bd5e280dd1c986311099
a310Logger
55f1a2084fd1c1d5477519f06b02aa4fa4d917aaceffd116fc45820dc49a7795
a310Logger
69c0dfdb136e864341810ac7ac86ce413c9de466d775651e5bf6eeeeebb0e7c2
a310Logger
87763547e91a17c7070d90ab3619415a470e8bf4397a57ad38d0b3dd43fc45c7
a310Logger
8a7a54c2c7952b89a9bd9898ee42e52da9aeb17e41a878f2a5236401f3e14efa
a310Logger
b8f8eab3a49bec6b9306853e8e5e2da49ba66b5773b259a2d6edfba479d10e85
a310Logger
ef84b2ff04124e92bb1f3cd7d7ea4f8c61d130b0171a66586fb72ce46a28057b
a310Logger
f8fc64a8c85d805e7f6314711dc42052000c831657472cd65a9becb50ad3263c
a310Logger
+ 945 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210810-ptcjnrye1s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
dfeef15868f572db266932ed98ef96238adbfd977488bb52eacae0c84a02fdf4
MD5 hash:
78bb8a92b90a92ecacf698643bf98738
SHA1 hash:
5ffa38a85cfb6fb5a04a6753159397a93baa2c43
Link:
https://www.unpac.me/results/639342da-a306-4815-835e-e5082e773bbb/
SH256 hash:
7c740039ca4da493b36a2b12204728b6a506f0f3f0c44f2c72a3988e381e6a57
MD5 hash:
98728e267079d59ca73a66951cf8c879
SHA1 hash:
c769fc1851ccb01db6652d1eede2840d45b4bfb9
Link:
https://www.unpac.me/results/639342da-a306-4815-835e-e5082e773bbb/
SH256 hash:
50863363a0d15a737362940ce8c87d2307ae04b3e5ea8deb5390048cdbc46788
MD5 hash:
25d38272ccbe222afa79afd9bcdbc38d
SHA1 hash:
50c70e5be692a4853f833a0f88373a1246112102
Link:
https://www.unpac.me/results/639342da-a306-4815-835e-e5082e773bbb/
SH256 hash:
d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525
MD5 hash:
78b2374d9d1810345aa8633ba8282a57
SHA1 hash:
4661b629995f3c4110b66afd4df827870923e47c
Link:
https://www.unpac.me/results/639342da-a306-4815-835e-e5082e773bbb/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d4ac60606ebb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.03
Link:
https://yomi.yoroi.company/submissions/d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310Logger

Executable exe d4ac60606ebb8df8a2b8d311c9262442978eeb65067e8940283e3a132efb2525

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/178026/
  
URLhaus
https://urlhaus.abuse.ch/url/1522433/

Comments


Avatar
zbet commented on 2021-08-10 16:04:57 UTC

url : hxxp://auto-house.info/ID4/mmicoo1.exe