a310logger | 84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5

General

Target

5f70bb21955777e10ca01ead27d16b44.exe
Size

1.0MB
MD5

5f70bb21955777e10ca01ead27d16b44
SHA1

2f7d8adfb506718346d94177103d1d976380a9b4
SHA256

84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5
SHA512

69f55a7902a4241c008c745a8f3bbc261bf0f9698f0b0b93aafb6ab8ce47b4e0eba47879e32404d6c3cdfab14cf55f60d5de4c34050bcb377f7f92a5a1ed16f4

Score

10^/10

a310logger stormkitty spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty

A310logger Executable 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger

Executes dropped EXE 2 IoCs

Processes:

PASSWORDSNET4.exeCREDITCARDNET4.exe

pid process

1272 PASSWORDSNET4.exe
1620 CREDITCARDNET4.exe
Loads dropped DLL 2 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

pid process

540 5f70bb21955777e10ca01ead27d16b44.exe
540 5f70bb21955777e10ca01ead27d16b44.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

description pid process target process

PID 1092 set thread context of 540 1092 5f70bb21955777e10ca01ead27d16b44.exe 5f70bb21955777e10ca01ead27d16b44.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1272	PASSWORDSNET4.exe
1620	CREDITCARDNET4.exe

pid	process
540	5f70bb21955777e10ca01ead27d16b44.exe
540	5f70bb21955777e10ca01ead27d16b44.exe

description	pid	process	target process
PID 1092 set thread context of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PASSWORDSNET4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

pid process

540 5f70bb21955777e10ca01ead27d16b44.exe

pid	process
540	5f70bb21955777e10ca01ead27d16b44.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe5f70bb21955777e10ca01ead27d16b44.exe

description	pid	process	target process
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1092 wrote to memory of 540	1092	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 540 wrote to memory of 1272	540	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 540 wrote to memory of 1272	540	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 540 wrote to memory of 1272	540	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 540 wrote to memory of 1272	540	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 540 wrote to memory of 1620	540	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 540 wrote to memory of 1620	540	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 540 wrote to memory of 1620	540	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 540 wrote to memory of 1620	540	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe

C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
"C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
  "C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1272
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    3⤵
    - Executes dropped EXE
    PID:1620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5
49a645e38f59784b7219b7f51b1fec6c

SHA1
bc74ced2c2d195837bb5cee21af81b0e396137b3

SHA256
b7f665c46d95c65f68a5ea6578d3b15c3ccfe3c9f6a7b4be3bad02ca496a2ba9

SHA512
28dbfa66d7feb903946a1fdeafd3d6f51d1c743c90c7b2afc8d86b8a9f62109bb478be9d906ae25e1fa23fe70e78bec603584d94e684023f9ff74a88689cb69f

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
memory/540-70-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/540-67-0x0000000000402D98-mapping.dmp

Download
memory/540-77-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/540-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1092-64-0x0000000008FC0000-0x0000000009075000-memory.dmp

Filesize
724KB

Download
memory/1092-60-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1092-63-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1092-62-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1092-65-0x0000000005150000-0x00000000051C1000-memory.dmp

Filesize
452KB

Download
memory/1272-72-0x0000000000000000-mapping.dmp

Download
memory/1272-75-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1620-79-0x0000000000000000-mapping.dmp

Download
memory/1620-82-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads