a310logger | fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5

General

Target

RFQ k Peikko proposal,pdf.exe
Size

1.0MB
MD5

b44f95c332073b28fe95157f470f8f2a
SHA1

ab9265412559d4992d540aa11f05d73e4f544374
SHA256

fdb6b5f3b83553b83111bd61152a4c4bd29996d778d6c118f52f01abd9435fe5
SHA512

25bd35d5bd9d233d9f0bc21afa1af51c2326a252d3afe16f65a22f17ec85bd7a73529b24f4408d20aa0aec84dc79339574f4e57f1876f480bbb6b23cc5aa8f4d

Score

10^/10

a310logger spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

A310logger Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab64-130.dat	a310logger
behavioral2/files/0x000100000001ab64-131.dat	a310logger

Executes dropped EXE 1 IoCs

pid	Process
4076	Fox.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 3408	3264	RFQ k Peikko proposal,pdf.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3408	RFQ k Peikko proposal,pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3408	RFQ k Peikko proposal,pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3264 wrote to memory of 3408	3264	RFQ k Peikko proposal,pdf.exe	79
PID 3408 wrote to memory of 4076	3408	RFQ k Peikko proposal,pdf.exe	80
PID 3408 wrote to memory of 4076	3408	RFQ k Peikko proposal,pdf.exe	80

C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ k Peikko proposal,pdf.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3264-123-0x0000000007960000-0x0000000007A2A000-memory.dmp

Filesize
808KB

Download
memory/3264-118-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3264-120-0x0000000005330000-0x0000000005343000-memory.dmp

Filesize
76KB

Download
memory/3264-121-0x0000000007540000-0x0000000007541000-memory.dmp

Filesize
4KB

Download
memory/3264-122-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/3264-114-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/3264-124-0x000000000A0C0000-0x000000000A121000-memory.dmp

Filesize
388KB

Download
memory/3264-116-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/3264-117-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3264-119-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3408-125-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4076-132-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4076-134-0x000000001B710000-0x000000001B712000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing