a310logger | 8742189aa8e9303ed7ce67da39348d2bb6628a6c5243c6e9a968499098f42178

General

Target

3dbc477725b5a88f511f1b4e3bcc38fc.exe
Size

1.0MB
MD5

3dbc477725b5a88f511f1b4e3bcc38fc
SHA1

a81ed8a5aed97fb6efa956e5c485f2aad8467e9f
SHA256

8742189aa8e9303ed7ce67da39348d2bb6628a6c5243c6e9a968499098f42178
SHA512

60de5350d98658ab152bd361e5a7fe6c5c3f294ced8067a8ea1a3e98004759723457a9e9e36a6cc01c5a35474ab4db06695111a0143972ffb0fdfe55c97da517
SSDEEP

12288:CGj/sthsNaJ31H2FTQi66ulHOG8BmRSdss/K0Iwxz0GAoSKv4wvx0mwTiEH8vPNG:9othaFMiA78BTQRGLgw0XTiEHwm

Score

10^/10

a310logger blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.yekamuhendislik.com
Port:
587
Username:
[email protected]
Password:
MuhasebE123*

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

A310logger Executable 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4016-55-0x0000000000D70000-0x0000000000E22000-memory.dmp	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	3dbc477725b5a88f511f1b4e3bcc38fc.exe

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

4016 Fox.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4016	Fox.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe

description pid process target process

PID 3516 set thread context of 632 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe 3dbc477725b5a88f511f1b4e3bcc38fc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe

pid process

3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe
3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe

description pid process

Token: SeDebugPrivilege 3516 3dbc477725b5a88f511f1b4e3bcc38fc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe

pid process

632 3dbc477725b5a88f511f1b4e3bcc38fc.exe

description	pid	process	target process
PID 3516 set thread context of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe

pid	process
1236	schtasks.exe

pid	process
3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe
3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe

description	pid	process
Token: SeDebugPrivilege	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe

pid	process
632	3dbc477725b5a88f511f1b4e3bcc38fc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3dbc477725b5a88f511f1b4e3bcc38fc.exe3dbc477725b5a88f511f1b4e3bcc38fc.exe

description	pid	process	target process
PID 3516 wrote to memory of 1236	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	schtasks.exe
PID 3516 wrote to memory of 1236	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	schtasks.exe
PID 3516 wrote to memory of 1236	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	schtasks.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 3516 wrote to memory of 632	3516	3dbc477725b5a88f511f1b4e3bcc38fc.exe	3dbc477725b5a88f511f1b4e3bcc38fc.exe
PID 632 wrote to memory of 4016	632	3dbc477725b5a88f511f1b4e3bcc38fc.exe	Fox.exe
PID 632 wrote to memory of 4016	632	3dbc477725b5a88f511f1b4e3bcc38fc.exe	Fox.exe

outlook_office_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe
"C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VqTEFYQXsiQibk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BBE.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe
  "C:\Users\Admin\AppData\Local\Temp\3dbc477725b5a88f511f1b4e3bcc38fc.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2BBE.tmp

Filesize
1KB

MD5
bb3b60479f56c17daecf828d05935288

SHA1
9f89d499b89e2aa5f7df79aae55bf294d474e5e8

SHA256
31c88515c0a21b871d482da05a57e6417c41c87a58aec42211bf429650813bff

SHA512
05c29566845ea9fafaa7c17a43d9dda82b5564ec4b6aea0cc601bedc497956279d1b591a7d78c2f23c528ff5f551757ddf6e23ec598485f740a7fd35d8e9a10b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\I5ZG0DCWBR.zip

Filesize
285KB

MD5
40a9752d59f2883e40d928f85a749008

SHA1
c60fb58eff64a7969b46f3934766f991352eeb47

SHA256
ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

SHA512
ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
382KB

MD5
23fc074dc1aac647eb2b856948805bd0

SHA1
113dfbe3ba6554087a95d838df8df7b1275f9085

SHA256
7f7badd5197dcb4864320f16d6bb64880a9fde01274a8ccc3805241c49e1e2cb

SHA512
ac20058dab07f07e0430572e62a9e30d17ebb93c72b80b092e892695d2f969d7e69c62eb55f5c2bf22f5a4e30ee607476390542f9ca542b4cc1a667ed8f15c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
93KB

MD5
01157a9116c5029c13c46a48ae4c2c13

SHA1
6a6b8e376c9867d97bec3f9fb40bfd8623dd8c66

SHA256
9e950481562db4e79aea90e8fb577ead1eb6a0e73b144b50d976ac7ba476360b

SHA512
f42ed363f8f88aefb4e10b62f28e6714309f5609a1884ad394bcbf6d29a0b9c3bfc3fe1cee9759374846b157aab4816d9503c7eb694d41d9f41de2a1bea98cd8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

Filesize
691B

MD5
055c857272026583a61e1b5821c69a24

SHA1
ec39d34f16487682801dd2b319554cbed57feca4

SHA256
190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

SHA512
d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

Download Submit
memory/632-70-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/632-25-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/632-21-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/632-18-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3516-3-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/3516-6-0x0000000005780000-0x000000000578A000-memory.dmp

Filesize
40KB

Download
memory/3516-11-0x0000000006F50000-0x0000000007024000-memory.dmp

Filesize
848KB

Download
memory/3516-12-0x00000000095E0000-0x0000000009646000-memory.dmp

Filesize
408KB

Download
memory/3516-9-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3516-8-0x0000000005AF0000-0x0000000005B08000-memory.dmp

Filesize
96KB

Download
memory/3516-22-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3516-0-0x0000000000A40000-0x0000000000B4E000-memory.dmp

Filesize
1.1MB

Download
memory/3516-1-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/3516-10-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/3516-2-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download
memory/3516-7-0x00000000057F0000-0x0000000005846000-memory.dmp

Filesize
344KB

Download
memory/3516-4-0x00000000055F0000-0x0000000005682000-memory.dmp

Filesize
584KB

Download
memory/3516-5-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4016-56-0x00007FFCF7870000-0x00007FFCF8331000-memory.dmp

Filesize
10.8MB

Download
memory/4016-65-0x00007FFCF7870000-0x00007FFCF8331000-memory.dmp

Filesize
10.8MB

Download
memory/4016-57-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download
memory/4016-55-0x0000000000D70000-0x0000000000E22000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads