a310logger | 980ff35a7cf5a6557b96df3d9956a133163d91d1691ccf7c1b752bdc0aa4ff2b

General

Target

Halkbank_Ekstre_20211110089273_0838736543566.exe
Size

762KB
MD5

a9ad148eb1e943000ff55d94820da73c
SHA1

4131afbaa43d4c405e5e5c046065d12456cf8d22
SHA256

980ff35a7cf5a6557b96df3d9956a133163d91d1691ccf7c1b752bdc0aa4ff2b
SHA512

5c88f18eee0ec5e04b9f582f327f1fa125657c4ca9c6b1160ca6dcb900662f7e52529475a6867dbfecca04b69d816dd52ba99bb479fd2e6e4f7165f7af460a22

Score

10^/10

a310logger blustealer collection spyware stealer suricata

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.enche.com
Port:
587
Username:
[email protected]
Password:
Merchandise08012021

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
suricata: ET MALWARE a310Logger Stealer Exfil (SMTP)
suricata

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

2552 Fox.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2552	Fox.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

Halkbank_Ekstre_20211110089273_0838736543566.exe

description	pid	process	target process
PID 1680 set thread context of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Halkbank_Ekstre_20211110089273_0838736543566.exe

pid process

1292 Halkbank_Ekstre_20211110089273_0838736543566.exe

pid	process
1292	Halkbank_Ekstre_20211110089273_0838736543566.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Halkbank_Ekstre_20211110089273_0838736543566.exeHalkbank_Ekstre_20211110089273_0838736543566.exeWinMail.exe

description	pid	process	target process
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1680 wrote to memory of 1292	1680	Halkbank_Ekstre_20211110089273_0838736543566.exe	Halkbank_Ekstre_20211110089273_0838736543566.exe
PID 1292 wrote to memory of 2552	1292	Halkbank_Ekstre_20211110089273_0838736543566.exe	Fox.exe
PID 1292 wrote to memory of 2552	1292	Halkbank_Ekstre_20211110089273_0838736543566.exe	Fox.exe
PID 1292 wrote to memory of 1424	1292	Halkbank_Ekstre_20211110089273_0838736543566.exe	WinMail.exe
PID 1292 wrote to memory of 1424	1292	Halkbank_Ekstre_20211110089273_0838736543566.exe	WinMail.exe
PID 1292 wrote to memory of 1424	1292	Halkbank_Ekstre_20211110089273_0838736543566.exe	WinMail.exe
PID 1424 wrote to memory of 2312	1424	WinMail.exe	WinMail.exe
PID 1424 wrote to memory of 2312	1424	WinMail.exe	WinMail.exe

outlook_office_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe
"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe
  "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20211110089273_0838736543566.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2552
- - C:\Program Files (x86)\Windows Mail\WinMail.exe
    "C:\Program Files (x86)\Windows Mail\WinMail" OCInstallUserConfigOE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
      4⤵
      PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5
055c857272026583a61e1b5821c69a24

SHA1
ec39d34f16487682801dd2b319554cbed57feca4

SHA256
190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

SHA512
d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

Download Submit
memory/1292-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1292-127-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1292-126-0x0000000000AD0000-0x0000000000AD6000-memory.dmp

Filesize
24KB

Download
memory/1292-125-0x0000000000401E00-mapping.dmp

Download
memory/1424-135-0x0000000000000000-mapping.dmp

Download
memory/1680-121-0x0000000005B20000-0x0000000005B31000-memory.dmp

Filesize
68KB

Download
memory/1680-123-0x0000000007FB0000-0x000000000802D000-memory.dmp

Filesize
500KB

Download
memory/1680-122-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/1680-115-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1680-120-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/1680-119-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/1680-118-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/1680-117-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/2312-136-0x0000000000000000-mapping.dmp

Download
memory/2552-128-0x0000000000000000-mapping.dmp

Download
memory/2552-131-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2552-133-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads