MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


a310Logger


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21
SHA3-384 hash: fb075b1eccaefadaa6810b0fe6cece77fc8f62e025d6c805d77ac8a9898410fceedff75e69bd140252f93a9fb39c1634
SHA1 hash: 43f2ea5c7e94809074dfc4660a3e6c9773012715
MD5 hash: 8926a087bc868fc62bc8c239fc974f1a
humanhash: oxygen-hawaii-mango-berlin
File name:JQWPT090000.exe
Download: download sample
Signature a310Logger
Create hunting rule
File size:1'367'040 bytes
First seen:2021-08-09 05:28:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:XK/D0g9Q5ajDZFs793svpogDRy+weXfQfeMHwSJsmKjeDcErX4kIitwi1FH7NFCK:XK7FCA/fpqwVkXFbHC7V1V2BYx1IB
Threatray 3'950 similar samples on MalwareBazaar
TLSH T130555C243AFA5019B173FFA55FE4789ADA6FBB733B03945D106103464623A82DDC293E
dhash icon 174f4559191b1b13 (81 x AgentTesla, 68 x Formbook, 34 x SnakeKeylogger)
Reporter abuse_ch
Tags:a310logger exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
JQWPT090000.exe
Verdict:
Suspicious activity
Analysis date:
2021-08-09 06:00:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ab5cbd20-777a-44a0-909e-2f9d0b8c8fc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177417/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2735f10d-3c0d-4a56-ad2c-e4859084d9f8
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/829000
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Yara detected a310Logger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461431 Sample: JQWPT090000.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 96 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected a310Logger 2->40 7 JQWPT090000.exe 3 2->7         started        process3 file4 22 C:\Users\user\AppData\...\JQWPT090000.exe.log, ASCII 7->22 dropped 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->42 44 Writes or reads registry keys via WMI 7->44 46 Injects a PE file into a foreign processes 7->46 11 JQWPT090000.exe 7 7->11         started        signatures5 process6 dnsIp7 32 192.168.2.1 unknown unknown 11->32 24 C:\Users\user\AppData\...\PASSWORDSNET4.exe, PE32 11->24 dropped 26 C:\Users\user\AppData\...\CREDITCARDNET4.exe, PE32 11->26 dropped 28 C:\Users\user\AppData\...\COOKIESNET4.exe, PE32 11->28 dropped 30 C:\Users\user\AppData\...\CONTACTSNET4.exe, PE32 11->30 dropped 15 PASSWORDSNET4.exe 4 11->15         started        18 CREDITCARDNET4.exe 3 11->18         started        20 CONTACTSNET4.exe 1 11->20         started        file8 process9 signatures10 48 Multi AV Scanner detection for dropped file 15->48 50 Tries to steal Mail credentials (via file access) 15->50 52 Tries to harvest and steal browser information (history, passwords, etc) 15->52 54 Machine Learning detection for dropped file 20->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 02:21:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6o6lkvswnzbhzab3g3loh3dbnzbpjau6ickbd3nfqwcief4ytqqq._file
Verdict:
malicious
Similar samples:
3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731
a310Logger
444482bde8f2bb85add3dc622db0c1a7a6974a78be2039ee8d08cc32af48f951
a310Logger
463ace81e13b8db2ec0d6ee4182e27a7a91c9c65555006ad064cd1e27e92a46c
a310Logger
4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010
a310Logger
8130e7cb38e727c9f90c9ec404685cffdff6c731d780ba7220af582cadadb30b
a310Logger
f66e5f355ec3477cc1be168b9fec2f85d2c58106460d988dd96855f8c78b3fe8
a310Logger
+ 3'940 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210809-6rvsealmnx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
fec6382d8a478b4b56a42358d75ab3cb0e540c4d5aaa09c5ef9b1c87d95d9739
MD5 hash:
22487bf04bd297a56457548f9ffb2d5f
SHA1 hash:
fc9c75dbe58cd919248dcf0827ebf94e8e801e6f
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
SH256 hash:
824721be44adbf4a572bbf727b8cedf38753c7be188b94d74a1bc6f66767f115
MD5 hash:
970706c6272e243c541832d19810f88a
SHA1 hash:
acf05af70eb1b394a63dd1270efe1367de528db2
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
SH256 hash:
77c33ee529e24c28fed61b96163a23855628defa616e462c15f5b8b0f259ecd0
MD5 hash:
bea367824b1baf774864ebecc506cdc8
SHA1 hash:
5eca0dbd5b6e0cb8cd3c9a2c7d450086c87ba841
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
SH256 hash:
312517040411c9e11dc9c7c113149042c5c2dfa2a5d6d2bf2ddd6c61bb1cb09b
MD5 hash:
db859c8ab39be7a27cc12907e7955798
SHA1 hash:
0e85edbb2325ec9c65534d4e02bfe3a62ba8c7db
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
SH256 hash:
f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21
MD5 hash:
8926a087bc868fc62bc8c239fc974f1a
SHA1 hash:
43f2ea5c7e94809074dfc4660a3e6c9773012715
Link:
https://www.unpac.me/results/584a23ce-d17e-4f1e-9d16-0831aff4254a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f3bcb556566e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

a310Logger

Executable exe f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177417/

Comments