a310logger | 32635c5f985aa62687009145f91b4523b781bea2faa94f7864d2ff16ab0a14ef

Analysis

max time kernel
6s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fa857766a51190a35c523d1e668c419.exe
Size

597KB
MD5

2fa857766a51190a35c523d1e668c419
SHA1

a03a3e40fea2601e2b745b6d111d8b50384f1bd5
SHA256

32635c5f985aa62687009145f91b4523b781bea2faa94f7864d2ff16ab0a14ef
SHA512

3c54fd2dcfce7e412b8fe2bf328b7feb22dc2eabc24b14040255b7844280c0b4e5d9860c3e244fd90e5702b51454a406039bfd4edd245ee0f530eac4ed191556
SSDEEP

12288:pjxXyjFxBYSk/XE+DF7ruopsW+grfBecYSDE5JVKV6m9E1/E:pjlyZxBAXdZ75CgEcfDE5kKdE

Score

10^/10

a310logger stormkitty zgrat collection rat spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2508-4-0x0000000000380000-0x0000000000396000-memory.dmp	family_zgrat_v1

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 7 IoCs

resource	yara_rule
behavioral1/memory/2768-27-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2768-31-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2768-29-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2768-23-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2768-21-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2372-128-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty
behavioral1/memory/2372-126-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

A310logger Executable 8 IoCs

resource	yara_rule
behavioral1/memory/2768-27-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2768-31-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2768-29-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2768-23-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2768-21-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/files/0x0036000000015c7b-100.dat	a310logger
behavioral1/memory/2372-128-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral1/memory/2372-126-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2252 set thread context of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2252	2fa857766a51190a35c523d1e668c419.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2252	2fa857766a51190a35c523d1e668c419.exe
2252	2fa857766a51190a35c523d1e668c419.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2508 wrote to memory of 2252	2508	2fa857766a51190a35c523d1e668c419.exe	28
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29
PID 2252 wrote to memory of 2768	2252	2fa857766a51190a35c523d1e668c419.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe
"C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe
  "C:\Users\Admin\AppData\Local\Temp\2fa857766a51190a35c523d1e668c419.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - outlook_office_path
    - outlook_win_path
    PID:2768
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      PID:1956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:1388
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
72a7632027dedb229806ac3df1171a0d

SHA1
f19bbd06eb66602398175af64d868fd4ed7333dc

SHA256
a9e33dacc1bddf8d1e860361b5ca6b985850c68fa8403290f947bd3e5f6e2544

SHA512
f63e3a89e69eab9fa5819762db0e0a7d14d1ed05009b0fa71d695ea5e64277f655c1356d9faaebaf2a49b6f7182d5ffa310b793175af7cbe644e814787128284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E63.tmp

Filesize
30KB

MD5
c59b19dcf7725b5c2e3e148879a0f8ce

SHA1
e83439d0edc1a4580cee5743bbe8091380015f14

SHA256
53060476a1b8ae0812efdf4740d4de144ab47eba200320f13657d9ed44c3d041

SHA512
680106501fcf309bcbb113ed843dbd7685a0b674cc05ac85e6b0d2ab3b0dc2c835f781fe13d2ebc775496ba6da50d7ae464821bb63c13e5ef55a501d8829725e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F41.tmp

Filesize
39KB

MD5
34325be3507824570b2b8f4219a6e121

SHA1
b788bfeda0d4d8cbcc68b011f3dec9d6758dc4f0

SHA256
22f6ca482d117df1cd1f288b5c4c72eab457a5401d2e3ed4dcca05baa444ca1e

SHA512
90820b72619aa136275a5968ecaae8649bedf7c7b3dcde20b835316bd26b98b44b49f37a875b6cbf45cc42d6bcf5fbc82755331d9c546df91b5d894132dc02b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

Filesize
20KB

MD5
1bad0cbd09b05a21157d8255dc801778

SHA1
ff284bba12f011b72e20d4c9537d6c455cdbf228

SHA256
218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

SHA512
4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

Download Submit
memory/1528-159-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-155-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-157-0x000007FEF5650000-0x000007FEF5FED000-memory.dmp

Filesize
9.6MB

Download
memory/1528-156-0x0000000001F80000-0x0000000002000000-memory.dmp

Filesize
512KB

Download
memory/1956-107-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/1956-106-0x000007FEF5450000-0x000007FEF5DED000-memory.dmp

Filesize
9.6MB

Download
memory/2252-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-102-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2252-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2372-158-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-131-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-130-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2372-126-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2372-129-0x0000000073DF0000-0x000000007439B000-memory.dmp

Filesize
5.7MB

Download
memory/2372-128-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2508-13-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-1-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2508-4-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2508-3-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

Filesize
256KB

Download
memory/2508-2-0x0000000000C70000-0x0000000000CE8000-memory.dmp

Filesize
480KB

Download
memory/2508-0-0x00000000010B0000-0x000000000114A000-memory.dmp

Filesize
616KB

Download
memory/2768-27-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-108-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-103-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-33-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-34-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2768-32-0x0000000073EB0000-0x000000007445B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-17-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-19-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-23-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-29-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2768-31-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download