MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 17


Intelligence 17 IOCs YARA 20 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
SHA3-384 hash: 426fbe25f2bb90461191ef3edf0957264afde229f7d65b8ec79bb6e159a1f9a2c67aa17441085521e61b14bf3181d1d4
SHA1 hash: 559f7ac02558685dc2722490b5447ee153a20800
MD5 hash: e7b10521c95558916ddc500a113e938c
humanhash: mars-grey-muppet-nineteen
File name:INVOICE#098765456789000098765.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'738'752 bytes
First seen:2025-10-02 10:07:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0da2d0647f5cec310f75c300db820389 (1 x a310Logger, 1 x AgentTesla, 1 x RemcosRAT)
ssdeep 49152:LYHJWQe0iIbQLToMxvXMLG412TZ7Gpr22f+PboM4R:LYHDe09MvXs6zt4
Threatray 10 similar samples on MalwareBazaar
TLSH T1D085B052B3508936D53729340C0BABA56915BD103974F98A3BED3DCC4FFBA81381AE97
TrID 35.4% (.EXE) Win64 Executable (generic) (10522/11/4)
22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.1% (.EXE) Win32 Executable (generic) (4504/4/1)
6.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter threatcat_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE098765456789000098765.exe
Verdict:
Malicious activity
Analysis date:
2025-10-02 06:49:54 UTC
Tags:
delphi dbatloader loader auto-sch
Link:
https://app.any.run/tasks/0ea54a67-a174-42dd-80fd-8c9c9619e3db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29908/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68de2091b54520161ad450f7
Tags:
delphi emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Moving of the original file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug borland_delphi fingerprint keylogger masquerade overlay packed zero
Link:
https://www.filescan.io/uploads/68de4ef5c564c8e81d0c6cbe/reports/fdad51c7-6764-4690-a26a-caa4d55d7978/overview
Verdict:
Malicious
Labled as:
TrojanDownloader/ModiLoader.a
Link:
https://www.hybrid-analysis.com/sample/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-02T03:31:00Z UTC
Last seen:
2025-10-04T06:48:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Pycoon.sb Trojan-PSW.Win32.Stelega.sb Trojan-PSW.Win32.DarkCloud.sb Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.Win32.DelfInject.gen
Link:
https://opentip.kaspersky.com/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/17af4d39-f689-474c-8b1a-fd5f810de3f7
Result
Threat name:
DBatLoader, DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1788017
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected DarkCloud
Yara detected DBatLoader
Yara detected Generic Dropper
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1788017 Sample: INVOICE#098765456789000098765.exe Startdate: 02/10/2025 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 7 INVOICE#098765456789000098765.exe 7 2->7         started        11 rundll32.exe 3 2->11         started        process3 file4 33 C:\Users\Public\nawhxwjB.exe, PE32 7->33 dropped 43 Drops PE files to the user root directory 7->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 7->45 47 Writes to foreign memory regions 7->47 49 4 other signatures 7->49 13 nawhxwjB.exe 3 7->13         started        16 cmd.exe 3 7->16         started        18 cmd.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        22 Bjwxhwan.exe 11->22         started        signatures5 process6 signatures7 51 Detected unpacking (changes PE section rights) 13->51 53 Detected unpacking (overwrites its own PE header) 13->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 Tries to steal Mail credentials (via file / registry access) 13->57 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        59 Writes to foreign memory regions 22->59 61 Allocates memory in foreign processes 22->61 63 Sample uses process hollowing technique 22->63 65 Allocates many large memory junks 22->65 30 nawhxwjB.exe 22->30         started        process8 signatures9 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->67 69 Tries to steal Mail credentials (via file / registry access) 30->69 71 Tries to harvest and steal browser information (history, passwords, etc) 30->71
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885/
Verdict:
Malicious
Threat:
Family.MODILOADER
Link:
https://tip.neiki.dev/file/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
Threat name:
Win32.Trojan.DBatLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-02 06:14:26 UTC
File Type:
PE (Exe)
Extracted files:
43
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3p737mcm6tx7r3ppg6sp54xjeonek3i6s4siodkgjx7gn34n5ccq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
darkcloudstealer
Create hunting rule
Similar samples:
3d3e2ed4810609be58fc516672b371d78807e566aa453099d9b13a25cd94d104
a310Logger
674244e6a739438bc0ceb041d4542fd0303a614e4046a1f5d09b08728f929707
a310Logger
85c37fb2493b32f60bd9cabf78e22e86f9ca8d289622a8100c0008ab2fb7abd8
a310Logger
dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
a310Logger
e5ca696a0ceac0f4bd2f7ae394c671f3f495c450d41e0a63c952f0f8d04ed9c8
a310Logger
error
a310Logger
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/251002-l5t4qabm5x/
Behaviour
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/19c96828-11c9-4f44-a5f6-431f2492cf2d
Unpacked files
SH256 hash:
dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885
MD5 hash:
e7b10521c95558916ddc500a113e938c
SHA1 hash:
559f7ac02558685dc2722490b5447ee153a20800
Link:
https://www.unpac.me/results/bda11892-138f-47e8-89a2-d9105f78d72f/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dbffbfb04cf4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:darkcloud_stealer
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked darkcloud malware samples.
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:MALWARE_Win_DarkCloud
Create hunting rule
Author:ditekSHen
Description:Detects DarkCloud infostealer
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:telegram_bot_api
Create hunting rule
Author:rectifyq
Description:Detects file containing Telegram Bot API
Rule name:Windows_Trojan_DarkCloud_9905abce
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe dbffbfb04cf4eff8edef37a4fef2e9239a456d1e9724870d464dfe66ef8de885

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29908/

Comments