a310logger | 7603f8e827ab78d5ff15be1b04b9a02821edf3bf90475295e0c7c792bc328f63

General

Target

newbin.exe
Size

364KB
MD5

79a97d24433615837251fe141b7174d4
SHA1

6629ebd021eefece2411f6253e2d0b2c7a04d577
SHA256

7603f8e827ab78d5ff15be1b04b9a02821edf3bf90475295e0c7c792bc328f63
SHA512

8906e0699dfa6d71e21896d1b2c72450b78b49c8d2ea6290f00676a632c3ba703817a43b9fef50e6e9838bf176848d146646bdfdbb1dfc63c43b55f36a8f75e8

Score

10^/10

a310logger collection spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

A310logger Executable 3 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130db-63.dat	a310logger
behavioral1/files/0x00040000000130db-65.dat	a310logger
behavioral1/files/0x00040000000130db-66.dat	a310logger

Executes dropped EXE 1 IoCs

pid	Process
1636	Fox.exe

Loads dropped DLL 1 IoCs

pid	Process
1208	newbin.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	newbin.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1636	1208	newbin.exe	25
PID 1208 wrote to memory of 1636	1208	newbin.exe	25
PID 1208 wrote to memory of 1636	1208	newbin.exe	25
PID 1208 wrote to memory of 1636	1208	newbin.exe	25

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\newbin.exe
"C:\Users\Admin\AppData\Local\Temp\newbin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-62-0x0000000075C71000-0x0000000075C73000-memory.dmp

Filesize
8KB

Download
memory/1636-67-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1636-69-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing