a310logger | 84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5

General

Target

5f70bb21955777e10ca01ead27d16b44.exe
Size

1.0MB
MD5

5f70bb21955777e10ca01ead27d16b44
SHA1

2f7d8adfb506718346d94177103d1d976380a9b4
SHA256

84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5
SHA512

69f55a7902a4241c008c745a8f3bbc261bf0f9698f0b0b93aafb6ab8ce47b4e0eba47879e32404d6c3cdfab14cf55f60d5de4c34050bcb377f7f92a5a1ed16f4

Score

10^/10

a310logger stormkitty spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty

A310logger Executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger

Executes dropped EXE 2 IoCs

Processes:

PASSWORDSNET4.exeCREDITCARDNET4.exe

pid process

2032 PASSWORDSNET4.exe
868 CREDITCARDNET4.exe
Loads dropped DLL 2 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

pid process

316 5f70bb21955777e10ca01ead27d16b44.exe
316 5f70bb21955777e10ca01ead27d16b44.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

description pid process target process

PID 1472 set thread context of 316 1472 5f70bb21955777e10ca01ead27d16b44.exe 5f70bb21955777e10ca01ead27d16b44.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2032	PASSWORDSNET4.exe
868	CREDITCARDNET4.exe

pid	process
316	5f70bb21955777e10ca01ead27d16b44.exe
316	5f70bb21955777e10ca01ead27d16b44.exe

description	pid	process	target process
PID 1472 set thread context of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PASSWORDSNET4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

pid process

316 5f70bb21955777e10ca01ead27d16b44.exe

pid	process
316	5f70bb21955777e10ca01ead27d16b44.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe5f70bb21955777e10ca01ead27d16b44.exe

description	pid	process	target process
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 1472 wrote to memory of 316	1472	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 316 wrote to memory of 2032	316	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 316 wrote to memory of 2032	316	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 316 wrote to memory of 2032	316	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 316 wrote to memory of 2032	316	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 316 wrote to memory of 868	316	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 316 wrote to memory of 868	316	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 316 wrote to memory of 868	316	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 316 wrote to memory of 868	316	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe

C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
"C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
  "C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:2032
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    3⤵
    - Executes dropped EXE
    PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5
d64a2bd19fb9b1a472c11921fbbaaf40

SHA1
1d92625025f45506e8793566f9a0045e7f833ca3

SHA256
fe49f551900f623da171d8c86edb8cea7df2985ae4fd9a6f5d1af4eed0c77ca1

SHA512
423c074dbe25c77b957c0e8b3998f909762cc9c5151038550149b197885d685bd8aacdb25b872b627cecfb86c868470e19a89a36a968a4e002eddd0f1ab51372

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
memory/316-65-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/316-69-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/316-66-0x0000000000402D98-mapping.dmp

Download
memory/316-76-0x0000000000180000-0x0000000000182000-memory.dmp

Filesize
8KB

Download
memory/868-78-0x0000000000000000-mapping.dmp

Download
memory/868-81-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1472-59-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1472-64-0x0000000005E50000-0x0000000005EC1000-memory.dmp

Filesize
452KB

Download
memory/1472-63-0x0000000008100000-0x00000000081B5000-memory.dmp

Filesize
724KB

Download
memory/1472-62-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1472-61-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2032-71-0x0000000000000000-mapping.dmp

Download
memory/2032-74-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads