a310logger | 139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72

Analysis

max time kernel
50s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb1c29f4a8c046e798cd9781cc127a7.exe
Size

876KB
MD5

0bb1c29f4a8c046e798cd9781cc127a7
SHA1

bbad89c8d04b20f63d36014f00ded3818e595a53
SHA256

139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
SHA512

4b439bd85c725f104be24956525a6ae1a16dba28fe254695cbd667933d0cce2225e9a0f934ef17e1f5ef65ac033aa6ed72d016e3bed0bf270dd3d1eef12de63f
SSDEEP

12288:+nkguFRskuUAlWC/44toU73kJiIWK4vV9BrFZsk1q1/1Yah2UKbnltqvTmDcN:0kEkuUAlV46zbk6K6VVZsuSYgF+qvH

Score

10^/10

a310logger blustealer spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
@@@@@@

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

A310logger Executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
behavioral2/memory/1092-51-0x00000000009B0000-0x0000000000A62000-memory.dmp	a310logger

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3548 schtasks.exe

pid	process
3548	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"
1⤵
PID:1164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp"
2⤵
- Creates scheduled task(s)
PID:3548

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"{path}"
2⤵
PID:3052

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
3⤵
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip
Filesize
3.7MB

MD5
58c176860e5fd80830f83e1327aedf6e

SHA1
db73217a964c27a3cb6b60cf950b19a7c8ca4199

SHA256
734be1e3625b6795aa0125996dda01264ba09b8cfe81bcf8ee58587ea16e4f57

SHA512
b46f6cc81fca0992e9e3e99d7ae220dc01193073be3bd9d0b15ebe176379da54fc0dfdc7c7b2da76d5d5ae053d4568fe56ca96416c4bcbef2d26ee0ac8deaff3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DebugResize.rtf
Filesize
18KB

MD5
15f28d2da355b46aac95f16968b9d26a

SHA1
5382e5ab1e2baf6ec8ca4231cd78b5acc8b124f7

SHA256
fcfa6468cff03836d2aabc43bd17efa7dbcdd276fafbbbca92b32672fe86c9ec

SHA512
fbdcd157c3d731979abbb352bcda590b66036b688ae171a1e8e11d1b2aad71612beff2505b22b4dce4fc85bd358bdf70f2953beb2c9a719fe93b9afbe175eb60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ImportGet.xlsm
Filesize
46KB

MD5
c5d81c4d42dbb3fa076f803cb2e629e5

SHA1
b9785c3dd1c74a384abf0546d4711ea50dbd48d2

SHA256
e4c0931304ead1184d1a04e0898b9e2d50716f3130578be0e37bbabdbb3ad9b1

SHA512
667a16cf83e996fd61835986f2d3494f6778f15a60c0cfaa641090a697c449440ee7457946639089af168ef04462cf6679a09a9c18133cd84439099f6aef1b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\PingPublish.pdf
Filesize
13KB

MD5
91300b76ee60c9f235d90e95fadac3d5

SHA1
2f7040a435560b6cffb2120d2f6ee4a19f9cf275

SHA256
e2933e1b7e5c268393a6d2752637a3f9aa694b37d6d0ce94490e18d0a5dced1f

SHA512
8df6e18585d8f9bafd81f47777036cbe338729cad0e264200f831ee296a44b9bfac33800503fefbe6aede81a91ca00ecc6a557d1ede3abd653f7dc31e9701be0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
Filesize
15KB

MD5
6e0f56005f4b540bcbc1e062326c5b12

SHA1
f6af0da73d8659cff8468e30dfbe3b345b2b25a2

SHA256
a4b91781bc28fe99832fe17ebd67e720225c7ee5fd8f789593ef34c5b3eed846

SHA512
328e99f174adb5346de400d3e581b26d0aaf5e042dc75dc048b389df049920e637aa3ecd545f5a267562508e6cf303ce585ec2336709796752824cafe77aff50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
Filesize
53KB

MD5
8e247ee4a5ad26e808ad76a8f65ea1c9

SHA1
4bcd3462dd28b4703ca078be8dc63151e3b235bb

SHA256
bf226e2098d459e5158507c6c1b9fe45e4882331f2fc06221842ce0292c2e3c9

SHA512
919a9f794534c663f801abad4df0256b697f8f9727e29677e0563fb0de1956903a91e1e372811a133b607e7f9afc79ea36899b0fcb446dbccc42ab74359d2a34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt
Filesize
691B

MD5
055c857272026583a61e1b5821c69a24

SHA1
ec39d34f16487682801dd2b319554cbed57feca4

SHA256
190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

SHA512
d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

Download Submit
memory/1092-51-0x00000000009B0000-0x0000000000A62000-memory.dmp

Filesize
712KB

Download
memory/1092-61-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp

Filesize
10.8MB

Download
memory/1092-52-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp

Filesize
10.8MB

Download
memory/1092-53-0x000000001B730000-0x000000001B740000-memory.dmp

Filesize
64KB

Download
memory/1164-10-0x0000000007EF0000-0x0000000007FAE000-memory.dmp

Filesize
760KB

Download
memory/1164-8-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1164-1-0x0000000000680000-0x0000000000762000-memory.dmp

Filesize
904KB

Download
memory/1164-0-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1164-19-0x00000000748C0000-0x0000000075070000-memory.dmp

Filesize
7.7MB

Download
memory/1164-2-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/1164-9-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1164-11-0x0000000007D80000-0x0000000007DF2000-memory.dmp

Filesize
456KB

Download
memory/1164-7-0x0000000006480000-0x000000000651C000-memory.dmp

Filesize
624KB

Download
memory/1164-6-0x00000000054E0000-0x00000000054E8000-memory.dmp

Filesize
32KB

Download
memory/1164-5-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/1164-4-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1164-3-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/3052-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-18-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-139-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download