a310logger | fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5

General

Target

RFQ k Peikko proposal,pdf.exe
Size

1.0MB
MD5

b44f95c332073b28fe95157f470f8f2a
SHA1

ab9265412559d4992d540aa11f05d73e4f544374
SHA256

fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5
SHA512

25bd35d5bd9d233d9f0bc21afa1af51c2326a252d3afe16f65a22f17ec85bd7a73529b24f4408d20aa0aec84dc79339574f4e57f1876f480bbb6b23cc5aa8f4d

Score

10^/10

a310logger spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

4076 Fox.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

description pid process target process

PID 3264 set thread context of 3408 3264 RFQ k Peikko proposal,pdf.exe RFQ k Peikko proposal,pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

pid process

3408 RFQ k Peikko proposal,pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ k Peikko proposal,pdf.exe

pid process

3408 RFQ k Peikko proposal,pdf.exe

pid	process
4076	Fox.exe

description	pid	process	target process
PID 3264 set thread context of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3408	RFQ k Peikko proposal,pdf.exe

pid	process
3408	RFQ k Peikko proposal,pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

RFQ k Peikko proposal,pdf.exeRFQ k Peikko proposal,pdf.exe

description	pid	process	target process
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	RFQ k Peikko proposal,pdf.exe
PID 3408 wrote to memory of 4076	3408	RFQ k Peikko proposal,pdf.exe	Fox.exe
PID 3408 wrote to memory of 4076	3408	RFQ k Peikko proposal,pdf.exe	Fox.exe

C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5
055c857272026583a61e1b5821c69a24

SHA1
ec39d34f16487682801dd2b319554cbed57feca4

SHA256
190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

SHA512
d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

Download Submit
memory/3264-123-0x0000000007960000-0x0000000007A2A000-memory.dmp

Filesize
808KB

Download
memory/3264-118-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3264-120-0x0000000005330000-0x0000000005343000-memory.dmp

Filesize
76KB

Download
memory/3264-121-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3264-122-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/3264-114-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3264-124-0x000000000A0C0000-0x000000000A121000-memory.dmp

Filesize
388KB

Download
memory/3264-116-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3264-117-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3264-119-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3408-126-0x00000000004021F8-mapping.dmp

Download
memory/3408-125-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4076-129-0x0000000000000000-mapping.dmp

Download
memory/4076-132-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4076-134-0x000000001B710000-0x000000001B712000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing