a310logger | fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5

General

Target

RFQ k Peikko proposal,pdf.exe
Size

1.0MB
MD5

b44f95c332073b28fe95157f470f8f2a
SHA1

ab9265412559d4992d540aa11f05d73e4f544374
SHA256

fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5
SHA512

25bd35d5bd9d233d9f0bc21afa1af51c2326a252d3afe16f65a22f17ec85bd7a73529b24f4408d20aa0aec84dc79339574f4e57f1876f480bbb6b23cc5aa8f4d

Score

10^/10

a310logger spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

A310logger Executable 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

1548 Fox.exe
Loads dropped DLL 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

pid process

752 RFQ k Peikko proposal,pdf.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

description pid process target process

PID 564 set thread context of 752 564 RFQ k Peikko proposal,pdf.exe RFQ k Peikko proposal,pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

pid process

752 RFQ k Peikko proposal,pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

pid process

752 RFQ k Peikko proposal,pdf.exe

pid	process
1548	Fox.exe

pid	process
752	RFQ k Peikko proposal,pdf.exe

description	pid	process	target process
PID 564 set thread context of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe

pid	process
752	RFQ k Peikko proposal,pdf.exe

pid	process
752	RFQ k Peikko proposal,pdf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RFQ k Peikko proposal,pdf.exeRFQ k Peikko proposal,pdf.exe

description	pid	process	target process
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 564 wrote to memory of 752	564	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 752 wrote to memory of 1548	752	RFQ k Peikko proposal,pdf.exe	Fox.exe
PID 752 wrote to memory of 1548	752	RFQ k Peikko proposal,pdf.exe	Fox.exe
PID 752 wrote to memory of 1548	752	RFQ k Peikko proposal,pdf.exe	Fox.exe
PID 752 wrote to memory of 1548	752	RFQ k Peikko proposal,pdf.exe	Fox.exe

C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564
- C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
memory/564-64-0x00000000057B0000-0x000000000587A000-memory.dmp

Filesize
808KB

Download
memory/564-65-0x0000000000B80000-0x0000000000BE1000-memory.dmp

Filesize
388KB

Download
memory/564-60-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/564-63-0x0000000000970000-0x0000000000983000-memory.dmp

Filesize
76KB

Download
memory/564-62-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/752-66-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/752-67-0x00000000004021F8-mapping.dmp

Download
memory/752-70-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/752-71-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1548-73-0x0000000000000000-mapping.dmp

Download
memory/1548-76-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1548-78-0x000000001B060000-0x000000001B062000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing