Analysis
-
max time kernel
73s -
max time network
38s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
09-08-2021 06:59
Static task
static1
Behavioral task
behavioral1
Sample
RFQ k Peikko proposal,pdf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ k Peikko proposal,pdf.exe
Resource
win10v20210410
General
-
Target
RFQ k Peikko proposal,pdf.exe
-
Size
1.0MB
-
MD5
b44f95c332073b28fe95157f470f8f2a
-
SHA1
ab9265412559d4992d540aa11f05d73e4f544374
-
SHA256
fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5
-
SHA512
25bd35d5bd9d233d9f0bc21afa1af51c2326a252d3afe16f65a22f17ec85bd7a73529b24f4408d20aa0aec84dc79339574f4e57f1876f480bbb6b23cc5aa8f4d
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
A310logger Executable 3 IoCs
resource yara_rule behavioral1/files/0x00030000000130da-72.dat a310logger behavioral1/files/0x00030000000130da-74.dat a310logger behavioral1/files/0x00030000000130da-75.dat a310logger -
Executes dropped EXE 1 IoCs
pid Process 1548 Fox.exe -
Loads dropped DLL 1 IoCs
pid Process 752 RFQ k Peikko proposal,pdf.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 564 set thread context of 752 564 RFQ k Peikko proposal,pdf.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 752 RFQ k Peikko proposal,pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 752 RFQ k Peikko proposal,pdf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 564 wrote to memory of 752 564 RFQ k Peikko proposal,pdf.exe 29 PID 752 wrote to memory of 1548 752 RFQ k Peikko proposal,pdf.exe 30 PID 752 wrote to memory of 1548 752 RFQ k Peikko proposal,pdf.exe 30 PID 752 wrote to memory of 1548 752 RFQ k Peikko proposal,pdf.exe 30 PID 752 wrote to memory of 1548 752 RFQ k Peikko proposal,pdf.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe3⤵
- Executes dropped EXE
PID:1548
-
-