a310logger | 84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5

General

Target

5f70bb21955777e10ca01ead27d16b44.exe
Size

1.0MB
MD5

5f70bb21955777e10ca01ead27d16b44
SHA1

2f7d8adfb506718346d94177103d1d976380a9b4
SHA256

84c1024292142c4d234701e830aedcbd865311693f0d8ac75596deee268c7db5
SHA512

69f55a7902a4241c008c745a8f3bbc261bf0f9698f0b0b93aafb6ab8ce47b4e0eba47879e32404d6c3cdfab14cf55f60d5de4c34050bcb377f7f92a5a1ed16f4

Score

10^/10

a310logger stormkitty spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	family_stormkitty

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe	a310logger

Executes dropped EXE 2 IoCs

Processes:

PASSWORDSNET4.exeCREDITCARDNET4.exe

pid process

1904 PASSWORDSNET4.exe
2124 CREDITCARDNET4.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

description pid process target process

PID 3896 set thread context of 936 3896 5f70bb21955777e10ca01ead27d16b44.exe 5f70bb21955777e10ca01ead27d16b44.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1904	PASSWORDSNET4.exe
2124	CREDITCARDNET4.exe

description	pid	process	target process
PID 3896 set thread context of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PASSWORDSNET4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe

pid process

936 5f70bb21955777e10ca01ead27d16b44.exe

pid	process
936	5f70bb21955777e10ca01ead27d16b44.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5f70bb21955777e10ca01ead27d16b44.exe5f70bb21955777e10ca01ead27d16b44.exe

description	pid	process	target process
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 3896 wrote to memory of 936	3896	5f70bb21955777e10ca01ead27d16b44.exe	5f70bb21955777e10ca01ead27d16b44.exe
PID 936 wrote to memory of 1904	936	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 936 wrote to memory of 1904	936	5f70bb21955777e10ca01ead27d16b44.exe	PASSWORDSNET4.exe
PID 936 wrote to memory of 2124	936	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe
PID 936 wrote to memory of 2124	936	5f70bb21955777e10ca01ead27d16b44.exe	CREDITCARDNET4.exe

C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
"C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe
  "C:\Users\Admin\AppData\Local\Temp\5f70bb21955777e10ca01ead27d16b44.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1904
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    3⤵
    - Executes dropped EXE
    PID:2124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe

MD5
a451ff83e1e0b66af6a3f26ee38bf4ff

SHA1
5dc4535a7a059c3aaedf925093e9fbe5f27aae80

SHA256
e654a9462d181c047534462ca3f13c1117886dbeded26cc1c0255328fd1046da

SHA512
3d2722dd84783eb806e671fd611b03ea9851e8d266f182088e7e2a7af467ca2b6fd348461117cc7e547bd225be5f748b2c724ea0c7431a3d15d1291355f92a85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe

MD5
1e80e2c7dc321a0f48da92fdbdbd44eb

SHA1
4bcf3e9b2e0332e1428779254aaf0b7a1b07b08e

SHA256
6dd7c673498c69240586a2344c16dcaefb1229e06fdf2b85b76cd91e5578e291

SHA512
dde95e41feca1ac7fc3c86277a2eaa3ac7d96c0bbb31faaea6c8aae680fc1aff1cfbad849660457fdbf69479b4496906dea5edc9ca307625836f483f82b6ca62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5
0e426b2995baa0070b9b3aebdf2d6c1b

SHA1
156415b4c5b2fa2002021b772590499ab01dc27a

SHA256
f4567ff5a9b9ffdc6e7b29d545d9971748a2906232c7127ef8f2a4ea9aacd117

SHA512
3f98e50d1ec13694d11cfea33521f040930ffd2a43c865e9510f92354acaad03f06994aa0511d1012ac48bef22b8d59b74a6ce379a040ee8b08bdb600b9a9f68

Download Submit
memory/936-125-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/936-135-0x0000000001260000-0x0000000001262000-memory.dmp

Filesize
8KB

Download
memory/936-126-0x0000000000402D98-mapping.dmp

Download
memory/936-128-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1904-130-0x0000000000000000-mapping.dmp

Download
memory/1904-133-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2124-139-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2124-136-0x0000000000000000-mapping.dmp

Download
memory/3896-114-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3896-120-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/3896-119-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/3896-121-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/3896-124-0x0000000005660000-0x00000000056D1000-memory.dmp

Filesize
452KB

Download
memory/3896-123-0x000000000AD50000-0x000000000AE05000-memory.dmp

Filesize
724KB

Download
memory/3896-118-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/3896-117-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/3896-122-0x0000000002B70000-0x0000000002B80000-memory.dmp

Filesize
64KB

Download
memory/3896-116-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads