MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05
SHA3-384 hash: a44487d53dd5e2a78176b2f5a09193f3bfa4888b41ffe01c233e98172d95eddc731749db654af76c1c01c03309071821
SHA1 hash: 0b0dcb23577efc327acdd2ff052bb3d54693d715
MD5 hash: 888a18230e69a8ba0c420042bcb6e758
humanhash: fourteen-mockingbird-beer-enemy
File name:DETAILS AND INVOICES.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:2'492'928 bytes
First seen:2023-03-08 14:24:11 UTC
Last seen:2023-03-08 15:28:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:sE9iqdFA3SA2PWRLxlTP0q0prBMsOZORHJd5SbyBRJ4y4c2TsdZh8FzxZ+hLAwKu:79vgIWRbb0RtYQBXhcOatvd4oS
Threatray 89 similar samples on MalwareBazaar
TLSH T117B5AEF18E52FD91D7AB1DA490DC2AC04C4C1F9B82A98548FCD83516E2F66A4EFCD5B0
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon a51d21116565090f (1 x a310Logger)
Reporter malwarelabnet
Tags:a310logger BluStealer exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DETAILS AND INVOICES.exe
Verdict:
Malicious activity
Analysis date:
2023-03-08 14:26:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e3a7cef-4240-4890-962f-804b912464e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/372604/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.17709.271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/64089ac18b48bcea611f1db8/reports/d5a68753-c476-4310-8a73-e665131fc55e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ccf70710-6f69-47be-a064-b61d96812334
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1189693
Signature
Allocates memory in foreign processes
Encrypted powershell cmdline option found
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected Generic Downloader
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 822565 Sample: DETAILS_AND_INVOICES.exe Startdate: 08/03/2023 Architecture: WINDOWS Score: 100 52 api.telegram.org 2->52 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected ThunderFox Stealer 2->74 76 6 other signatures 2->76 8 Oxpurhx.exe 4 2->8         started        11 DETAILS_AND_INVOICES.exe 1 7 2->11         started        15 Oxpurhx.exe 3 2->15         started        signatures3 process4 dnsIp5 78 Multi AV Scanner detection for dropped file 8->78 80 Machine Learning detection for dropped file 8->80 82 Encrypted powershell cmdline option found 8->82 17 Oxpurhx.exe 8->17         started        21 powershell.exe 8->21         started        54 192.168.2.1 unknown unknown 11->54 44 C:\Users\user\AppData\Roaming\...\Oxpurhx.exe, PE32 11->44 dropped 46 C:\Users\user\...\Oxpurhx.exe:Zone.Identifier, ASCII 11->46 dropped 48 C:\Users\...\DETAILS_AND_INVOICES.exe.log, ASCII 11->48 dropped 84 Injects a PE file into a foreign processes 11->84 23 DETAILS_AND_INVOICES.exe 1 7 11->23         started        25 powershell.exe 16 11->25         started        27 powershell.exe 15->27         started        29 Oxpurhx.exe 15->29         started        31 Oxpurhx.exe 15->31         started        file6 signatures7 process8 dnsIp9 62 Writes to foreign memory regions 17->62 64 Allocates memory in foreign processes 17->64 66 Tries to steal Crypto Currency Wallets 17->66 33 AppLaunch.exe 17->33         started        36 conhost.exe 21->36         started        50 api.telegram.org 149.154.167.220, 443, 49723, 49724 TELEGRAMRU United Kingdom 23->50 68 Injects a PE file into a foreign processes 23->68 38 AppLaunch.exe 2 23->38         started        40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        signatures10 process11 signatures12 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->56 58 Tries to steal Mail credentials (via file / registry access) 33->58 60 Tries to harvest and steal browser information (history, passwords, etc) 33->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2023-03-08 02:17:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2uhfgeuk7lue7apud7hcfz6oh4juijef27d44o5rif5pvotmtqcq._file
Verdict:
malicious
Similar samples:
1c5bf7e3edbccd4fe44d97baba8529438169f346769e109b2b660d1b45b2a02b
a310Logger
20919ab5a667f7a8ef3d7d1e614f3e448bf875a066ac56c257e2e07878f6e336
a310Logger
4c1286920e0fbb0e4269f4b64ec6ca052076414a24af72f2e1a82f516a21bf52
a310Logger
58d5286e5694f883d2452a81e5f6e77413292ba388300a6e44dd0f91e217aff1
a310Logger
91be6258668b873244ec00091e663437dbb0967ee31406538376560de2b9a0e2
a310Logger
9842d23cef4dc305ab6b8cd1ade477e1186d94cfd18861e1c87a55aff4d04c40
a310Logger
9ee2d324d8076b2b924ebdfbc678165a46089b8e413b292da28f6e9724e657a2
a310Logger
c75c9aa6a59390063715c53c31d399ee5da8d2e03dd7abaae9e369d4b4e5354c
a310Logger
f4b8876d0421a1d904d6bba62ed2ea0e966b33527e19a87603ffc5e76dd98450
a310Logger
+ 79 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection persistence spyware stealer
Link:
https://tria.ge/reports/230308-rrae2sad5s/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks computer location settings
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5813496253:AAF4hamIx4-mNmFF1DwsqdJ4F9vUBmFqLo/sendMessage?chat_id=1105271645
Unpacked files
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
33c17023760ca7362648d183315971d882ff9d14e74cb0c3361a150912e60791
MD5 hash:
64653b61e9a9d6013d8b5f716fc1db3a
SHA1 hash:
734f65d154ee2e44f79e9ddc4a3878cfe228e868
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
d57f0d6053c451769e2661cf258568d4f6222a8750ef30d66219e2b69e595ee8
MD5 hash:
1ff9f004718af6adefa9fbb6f9955208
SHA1 hash:
e72b30dd434841d106f40c7d66e722cd8b9b14a1
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
7123566d71d2fd588fa4a408a7ef476b409d0e74929601c636f1fbc5b5854135
MD5 hash:
8f7226104c4d7d8f2370189621507367
SHA1 hash:
dedb13ae4dec7788290a73162d7e63ef1e5cc7da
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
a9973079f1a045eae7f3b195c997eb78034a633bc81e335cbbcec37eca305de2
MD5 hash:
3b477fb231942dd50553050e6a3f4097
SHA1 hash:
b9a7690d059799c8b1037c2a8ba68dd29d11b09c
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
8cb3b62843597975078518c821c5d8c7a3c552dfb56d8302687f4d1d9cda8c8c
MD5 hash:
301c783d0ec6b8bf0e95535b47fc1c5a
SHA1 hash:
a3946407e9e77a2a4050fb1bd3c7f3e54a2f2953
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
0c6fec250f2f335900a5a96505648425e793f096b2c9e7fbf656079b18d3d0c0
MD5 hash:
e26d2a516dfa72b0f1ae783ca5cfabb7
SHA1 hash:
856e7a5fca9d429056f833ce0b8a7a117db2112b
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
SH256 hash:
d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05
MD5 hash:
888a18230e69a8ba0c420042bcb6e758
SHA1 hash:
0b0dcb23577efc327acdd2ff052bb3d54693d715
Link:
https://www.unpac.me/results/e510e7e3-1930-4bb1-95e3-3fb7f7728b60/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d50e53128afa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d50e53128afae84f81f41fce22e7ce3f13442485d7c7ce3bb1417afaba6c9c05

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/372604/

Comments