MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310logger


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02
SHA3-384 hash: 66b1c259fe6da790bd0fd2a7562a3c2a44931e705329c14fb886311d34e0e0dda4f6c0bbe9d7b5c494a014413ca81be9
SHA1 hash: 7055ffe70fc5b666599dbeeda97932d5b529a77a
MD5 hash: 3763f091a074d72561b02c9c02e7bafc
humanhash: thirteen-virginia-berlin-oregon
File name:3763f091a074d72561b02c9c02e7bafc
Download: download sample
Signature a310logger
Create hunting rule
File size:979'456 bytes
First seen:2021-07-20 13:54:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:0M9MDiE/KrvDBoIYC4cGYLa3y7nZt1AcyMLBFBf:Y8iLCZLa3G6jA7f
TLSH T1F025CF7363076B8CEC7D83B86825A085AFF5B417D31DD65D3ED8B0E868B1F1497A1A02
Reporter zbetcheckin
Tags:32 a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3763f091a074d72561b02c9c02e7bafc
Verdict:
Suspicious activity
Analysis date:
2021-07-20 13:57:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8109dd02-04c9-413f-aae1-e29978b93122

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172846/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0afb8472-eb51-42eb-8989-76a41da9bb6a
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818994
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Yara detected a310Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451407 Sample: AeAJudBFsu Startdate: 20/07/2021 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Yara detected a310Logger 2->45 47 .NET source code references suspicious native API functions 2->47 49 Machine Learning detection for sample 2->49 8 AeAJudBFsu.exe 3 2->8         started        process3 file4 31 C:\Users\user\AppData\...\AeAJudBFsu.exe.log, ASCII 8->31 dropped 57 Detected unpacking (creates a PE file in dynamic memory) 8->57 59 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->59 61 Injects a PE file into a foreign processes 8->61 12 AeAJudBFsu.exe 1 3 8->12         started        signatures5 process6 dnsIp7 33 mail.dm-teh.com 104.248.254.21, 49728, 587 DIGITALOCEAN-ASNUS United States 12->33 63 Tries to steal Crypto Currency Wallets 12->63 16 InstallUtil.exe 8 12->16         started        20 InstallUtil.exe 6 12->20         started        signatures8 process9 file10 27 C:\Users\user\AppData\...\wxfmqQcM.exe, PE32 16->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->35 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->37 39 Tries to steal Mail credentials (via file access) 16->39 22 wxfmqQcM.exe 3 16->22         started        29 C:\Users\user\AppData\...\HiFXcNeE.exe, PE32 20->29 dropped 41 Tries to harvest and steal browser information (history, passwords, etc) 20->41 25 HiFXcNeE.exe 3 20->25         started        signatures11 process12 signatures13 51 Antivirus detection for dropped file 22->51 53 Multi AV Scanner detection for dropped file 22->53 55 Machine Learning detection for dropped file 22->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 13:55:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lu2kjzkseb77w5dpmn5crssfu3oxssuw4z2u6lhjgnj25wqfiba._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210720-j8plwx5edj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
83d9e44d9a311ea6fdbcbd09fdc816a2067806dcacf24beb5ee786191b1a3ea1
MD5 hash:
b1a7b752b6638ee03cffe5a1dde9213e
SHA1 hash:
52d215a173d2f293990f8c12fc7f4a86330a29cb
Link:
https://www.unpac.me/results/6c616687-714a-4320-bc60-f4237134cbb7/
SH256 hash:
f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02
MD5 hash:
3763f091a074d72561b02c9c02e7bafc
SHA1 hash:
7055ffe70fc5b666599dbeeda97932d5b529a77a
Link:
https://www.unpac.me/results/6c616687-714a-4320-bc60-f4237134cbb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

a310logger

Executable exe f2e9a5272a9103ffdba37b1bd146522d36ebca54b733aa7967499a9d76d02a02

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/172846/
  
URLhaus
https://urlhaus.abuse.ch/url/1468634/

Comments


Avatar
zbet commented on 2021-07-20 13:54:37 UTC

url : hxxp://192.210.214.144/ob/can.exe