a310logger | 463ace81e13b8db2ec0d6ee4182e27a7a91c9c65555006ad064cd1e27e92a46c

General

Target

f99fd17cc305e25cae93a53c5d7b5741.exe
Size

922KB
MD5

f99fd17cc305e25cae93a53c5d7b5741
SHA1

f02ba6a83b0b52301e4e6d5ce486abcc88ef0421
SHA256

463ace81e13b8db2ec0d6ee4182e27a7a91c9c65555006ad064cd1e27e92a46c
SHA512

63dfe798d9a93d236f05aebd25dce4679fa227c27bca381e1771dfc2788cd735eb6aa36b07fc2d2d2cec0576987b91dba8e459165d4676741e9f29d293389f59

Score

10^/10

a310logger stormkitty spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab41-131.dat	family_stormkitty
behavioral2/files/0x000100000001ab41-132.dat	family_stormkitty

A310logger Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab41-131.dat	a310logger
behavioral2/files/0x000100000001ab41-132.dat	a310logger

Executes dropped EXE 2 IoCs

pid	Process
3620	PASSWORDSNET4.exe
3392	CREDITCARDNET4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PASSWORDSNET4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PASSWORDSNET4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1544	f99fd17cc305e25cae93a53c5d7b5741.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 800 wrote to memory of 1544	800	f99fd17cc305e25cae93a53c5d7b5741.exe	78
PID 1544 wrote to memory of 3620	1544	f99fd17cc305e25cae93a53c5d7b5741.exe	79
PID 1544 wrote to memory of 3620	1544	f99fd17cc305e25cae93a53c5d7b5741.exe	79
PID 1544 wrote to memory of 3392	1544	f99fd17cc305e25cae93a53c5d7b5741.exe	81
PID 1544 wrote to memory of 3392	1544	f99fd17cc305e25cae93a53c5d7b5741.exe	81

C:\Users\Admin\AppData\Local\Temp\f99fd17cc305e25cae93a53c5d7b5741.exe
"C:\Users\Admin\AppData\Local\Temp\f99fd17cc305e25cae93a53c5d7b5741.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\f99fd17cc305e25cae93a53c5d7b5741.exe
  "C:\Users\Admin\AppData\Local\Temp\f99fd17cc305e25cae93a53c5d7b5741.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\PASSWORDSNET4.exe
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\CREDITCARDNET4.exe
    3⤵
    - Executes dropped EXE
    PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-120-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/800-119-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/800-122-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/800-123-0x0000000005ED0000-0x0000000005F84000-memory.dmp

Filesize
720KB

Download
memory/800-124-0x0000000005F90000-0x0000000006000000-memory.dmp

Filesize
448KB

Download
memory/800-121-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/800-116-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/800-117-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/800-118-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1544-135-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/1544-129-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1544-125-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3392-139-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/3620-133-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing