MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
a310Logger
Vendor detections: 17
| SHA256 hash: | f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93 |
|---|---|
| SHA3-384 hash: | 4c51e4c0c1646c7468d36d94db2b8e73eb6aedb447f9f7fb712d230ea41b21d6e35ebd26d5ec7c502c958d88bb456790 |
| SHA1 hash: | be4d67974e02309f3a4f10b882b90306a719cc43 |
| MD5 hash: | 2f722c069bc2612c7cf0548c625b34f8 |
| humanhash: | pip-oxygen-april-east |
| File name: | ORDEN DE COMPRA S.A. A PROCESADORA.. .pdf.exe |
| Download: | download sample |
| Signature | a310Logger |
| File size: | 1'346'048 bytes |
| First seen: | 2025-12-02 08:47:46 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 24576:jdZZzdCJvkYzllNkPbdb9tV2CWCKOJaCXMJph91KOb:jvZzdizzjepb96ifJaC8Jp5 |
| Threatray | 22 similar samples on MalwareBazaar |
| TLSH | T1FC55F02917E95A14F0FF5B38B77800640BF0BC2B9A31E66E6A5241ED4E61F49ED21373 |
| TrID | 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | a310logger exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
90
Origin country :
HUVendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
ORDEN DE COMPRA S.A. A PROCESADORA.. .pdf.exe
Verdict:
Malicious activity
Analysis date:
2025-12-02 08:56:52 UTC
Tags:
netreactor stealer evasion telegram auto-reg
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkCloud
Verdict:
Malicious
Score:
96.5%
Tags:
underscore virus msil remo
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
crypt masquerade obfuscated obfuscated stealer vbnet
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-24T12:08:00Z UTC
Last seen:
2025-12-03T23:39:00Z UTC
Hits:
~1000
Detections:
Backdoor.Win32.Androm Trojan-PSW.Win32.DarkCloud.sb Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Dropper.Win32.Injector.sb Trojan-PSW.Win32.Stelega.sb Trojan.MSIL.Inject.c Trojan.MSIL.Inject.b Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic PDM:Trojan.Win32.Badex.d HackTool.ReconScan.TCP.ServerRequest
Malware family:
DarkCloud
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.84 Win 32 Exe x86
Verdict:
Malicious
Threat:
Trojan.Win32.Inject
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2025-11-24 15:42:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
23 of 36 (63.89%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
darkcloudstealer
purecrypter
Similar samples:
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
discovery persistence spyware stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
Executes dropped EXE
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Verdict:
Malicious
Tags:
DarkCloud
YARA:
n/a
Unpacked files
SH256 hash:
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
MD5 hash:
2f722c069bc2612c7cf0548c625b34f8
SHA1 hash:
be4d67974e02309f3a4f10b882b90306a719cc43
SH256 hash:
7d1cc6c6774669872f14a75de73e3e785ef6d063a0c4c817d147e2078d77a61a
MD5 hash:
8445f7f856e34e9303600d717579a6c6
SHA1 hash:
28a54b1d1f14812e3c5fe68cf779c9117c098091
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
INDICATOR_EXE_Packed_DotNetReactor
Parent samples :
3cf22298d51538e4c37de996647c085369b9760381ee876225897ea56ca049b9
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
326b0eb2cdd03a3ab23d83774222769245b2bbe689ba22856273f4fa119b3054
c87c4280f8b9c6bf09c0ac878f0f5d0b1ffaf1cf0627acecd0585e79f5d4b2eb
e344fe526e15e7a798d965e12fa66bbae99c620e2bac85cea2cf39da91e1c2a9
cdefe4487062cf4feeee912c4842224c9f9ee066574205d31efa87aee71f2073
f73987513db8c06902182a46cd5d43b8d1fbcc8cb167b0b3c7ad45b6f482b64c
b02b279161596d4cfb6a031d2354460ab7d4918b0963f24a24560c2014ca9251
f8aa02fae887ea80156c2e8be3940405bfc612434d7efae60320a802a9d15a93
9cc00b1af48acb7af7f3c53d0a1adbe928d4bda26273dd955120ca138bdf2eca
73b63721491b5e5a01059fa28d122d5002710964e3e1ed13450d39e716abf968
d1dac84e05c1f6d563953e4966b4a15dda5ad228298cb9ffaa904108a1e03409
6e2f8c1a53a04332f9e7df00b6b0fc583e7c1dd20d570f503b57294c5e6b977f
a6cb841d8ae8fdf6631fa2e8235f07b946cc38fd08a67e542cdc697506faf462
7f686552b74e86a919d7c4ef8eee991bdc70a3558d886a70ed8a879ecb9781af
2f4de4bd0ba8bff96a2b2f8fe3703d0bea4dac48f6442cbd75677b3da8a4bb4f
db64be725daa15a212f1915938a94b30193123965c66ab4fbf1cbd41643a4e2f
641380dbf40445ebdda6a4fbf21ad32c7e9903fc5ec1c92081e77fc1716e58f0
51e8bfd578ae4e51206ad57e2bf501067e84ee7d0307ada70a1f3a35d907a1bd
6b43ebd7427305bd0d27f813d8a8e7d3c2fbd81a1d150d9d71be3b36461ed9c5
cd100ddc8f101788f2f74afcf44e9cbfcd41139431901c8783505f551986b2a7
1428f464af6827605e046bb527b1f0bef17827bfc495bc61bb663789ea93cd95
7abc66114083c1af5345a564369c5a9a57ede5dc4f8018c679d6fa2073781c19
594c365596c21b70b4e929a54e88f0abdc2f8641956817881418a57508484912
343a0ffbd5b9eb887a4fb642b6a508e49d75338c94c18404c0c4818b21ab1951
2ce473b1702af7cd8c8a391fcaf6e4d6b8687100ee6518e52a02adfc86735dee
e05eeb1ac0c6722a64e69f2fad8dba483cfdfe97a60f2bd123c4fb33715c419f
2f6fa9fa9d46eda7bb675550fff9ce2b075ac46bdbf95a2e3e46aa72b06aa84c
9729a8886a3c9c58f6aff691fa8a812531d7504b1060fe9092206cb39f6ab860
7ab3bc53197f4ab531bf0f24e2ad22f1f199a6f3225099506a49d57f03868dbe
ec831b1de5e2d9c38a3ebd096ef9af1425abc2a866cb042a31600d98c64b5740
SH256 hash:
222b04688d1e2030192b188f099ecfd52bd7af6b986ac93e141a80f2766da879
MD5 hash:
c71e17acab65a4dd054c78c0481c7674
SHA1 hash:
63b0d563f15ab5b92c337ef37d741004623d0f62
SH256 hash:
3d4c540e42806ce73613ca4e43385d153942a40e9a0321ad93b79a7194a9cf5b
MD5 hash:
40ce50b744ec27b1c47f8596522303cb
SHA1 hash:
c1fe5e16e90a51dae212e39c40341de2350ecb96
Detections:
darkcloudstealer
INDICATOR_SUSPICIOUS_Binary_References_Browsers
INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
MALWARE_Win_A310Logger
MALWARE_Win_DarkCloud
SH256 hash:
2673d470353413edfb567ff7479395dc52824db6469520ebe8d91dbca2bccac2
MD5 hash:
e5be1fdba36d5032726313afe4c7dd63
SHA1 hash:
c65ebe77906cec3bcb5e805a327f1aa823be57ca
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Malware family:
DarkCloud
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| Rule name: | INDICATOR_SUSPICIOUS_Binary_References_Browsers |
|---|---|
| Author: | ditekSHen |
| Description: | Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables containing SQL queries to confidential data stores. Observed in infostealers |
| Rule name: | INDICATOR_SUSPICIOUS_EXE_TelegramChatBot |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables using Telegram Chat Bot |
| Rule name: | MALWARE_Win_A310Logger |
|---|---|
| Author: | ditekSHen |
| Description: | Detects A310Logger |
| Rule name: | MALWARE_Win_DarkCloud |
|---|---|
| Author: | ditekSHen |
| Description: | Detects DarkCloud infostealer |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | pe_imphash |
|---|
| Rule name: | ProtectSharewareV11eCompservCMS |
|---|---|
| Author: | malware-lu |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vba |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | TelegramAPIMalware_PowerShell_EXE |
|---|---|
| Author: | @polygonben |
| Description: | Hunting for pwsh malware using Telegram for C2 |
| Rule name: | telegram_bot_api |
|---|---|
| Author: | rectifyq |
| Description: | Detects file containing Telegram Bot API |
| Rule name: | UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser |
|---|---|
| Author: | malware-lu |
| Rule name: | Windows_Trojan_DarkCloud_9905abce |
|---|---|
| Author: | Elastic Security |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.