a310logger | 3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731

General

Target

495edc6456f3c1d7dcdf839ec8a1fc70.exe
Size

935KB
MD5

495edc6456f3c1d7dcdf839ec8a1fc70
SHA1

fe30c475e506a76be7ea15c4f529938062718276
SHA256

3504fe4b0e2d093c366cffa43ceb37026d7a5f8e35498aa7945556c77ecce731
SHA512

b2122cd4b6a1b1f46f8e3b970ccd786ca6a07a554772a7ddebab9d7dc42ea7a12288debdccc3ec5af63fd6d707b3e804e3e13cfd2d4fbe7e2aec11abea4e1b1a

Score

10^/10

a310logger stormkitty spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger

Executes dropped EXE 2 IoCs

Processes:

PASSWORDSNET4.exeCREDITCARDNET4.exe

pid process

4092 PASSWORDSNET4.exe
4068 CREDITCARDNET4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

495edc6456f3c1d7dcdf839ec8a1fc70.exe

description pid process target process

PID 3904 set thread context of 2628 3904 495edc6456f3c1d7dcdf839ec8a1fc70.exe 495edc6456f3c1d7dcdf839ec8a1fc70.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4092	PASSWORDSNET4.exe
4068	CREDITCARDNET4.exe

description	pid	process	target process
PID 3904 set thread context of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PASSWORDSNET4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

495edc6456f3c1d7dcdf839ec8a1fc70.exe

pid process

2628 495edc6456f3c1d7dcdf839ec8a1fc70.exe

pid	process
2628	495edc6456f3c1d7dcdf839ec8a1fc70.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

495edc6456f3c1d7dcdf839ec8a1fc70.exe495edc6456f3c1d7dcdf839ec8a1fc70.exe

description	pid	process	target process
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 3904 wrote to memory of 2628	3904	495edc6456f3c1d7dcdf839ec8a1fc70.exe	495edc6456f3c1d7dcdf839ec8a1fc70.exe
PID 2628 wrote to memory of 4092	2628	495edc6456f3c1d7dcdf839ec8a1fc70.exe	PASSWORDSNET4.exe
PID 2628 wrote to memory of 4092	2628	495edc6456f3c1d7dcdf839ec8a1fc70.exe	PASSWORDSNET4.exe
PID 2628 wrote to memory of 4068	2628	495edc6456f3c1d7dcdf839ec8a1fc70.exe	CREDITCARDNET4.exe
PID 2628 wrote to memory of 4068	2628	495edc6456f3c1d7dcdf839ec8a1fc70.exe	CREDITCARDNET4.exe

C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe
"C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe
"C:\Users\Admin\AppData\Local\Temp\495edc6456f3c1d7dcdf839ec8a1fc70.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
3⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4092

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
3⤵
- Executes dropped EXE
PID:4068

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
MD5
968147e5e7121ca034e2978f561456d7

SHA1
8eaff1f069e721a49ecf4ea3c260c06b8d2cebe5

SHA256
547e5216c25b541e350a618507e5c5d583d19a5bd9883a1b539de107fe468880

SHA512
b69a57ba2e900e6f1dc5ab608cf0d16c5561002de210b3e0ab83ecbc2ccdab377084b8fd08270c00fb53b98c9e679a11ca8c7995b45c85bc66257eb646fdafa2

Download Submit
memory/2628-124-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2628-134-0x0000000002E00000-0x0000000002E02000-memory.dmp

Filesize
8KB

Download
memory/2628-128-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2628-125-0x0000000000402D98-mapping.dmp

Download
memory/3904-120-0x0000000005760000-0x0000000005C5E000-memory.dmp

Filesize
5.0MB

Download
memory/3904-123-0x0000000007720000-0x0000000007790000-memory.dmp

Filesize
448KB

Download
memory/3904-122-0x0000000007670000-0x000000000771A000-memory.dmp

Filesize
680KB

Download
memory/3904-121-0x0000000003050000-0x0000000003060000-memory.dmp

Filesize
64KB

Download
memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/3904-118-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/3904-119-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/3904-117-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3904-116-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/4068-135-0x0000000000000000-mapping.dmp

Download
memory/4068-138-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/4092-129-0x0000000000000000-mapping.dmp

Download
memory/4092-132-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads