a310logger | 24631515535420a7600ac6e1191f49b8162c7c3d1ca82a163b66451e448fab2f

Analysis

max time kernel
136s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ccfbabd5376167c9e52c89c0478ec5.exe
Size

1016KB
MD5

74ccfbabd5376167c9e52c89c0478ec5
SHA1

f054d3de07ec041a53e6566ad654fbd6f2a04098
SHA256

24631515535420a7600ac6e1191f49b8162c7c3d1ca82a163b66451e448fab2f
SHA512

dbf6a2395f3c56f074c750723a9b5568f035ab409fb502d0d068f2efc8d558978d00c282c51d6fbc64b1985071dde6ee26240e58b6e12dd0c2ff127de4b29f87
SSDEEP

24576:Zg0sM873s6inVKDdbHUCB80yET0QMTS+YLY3qwhs:ZV9ms6cY9uoaVAs4

Score

10^/10

a310logger blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.enche.com
Port:
587
Username:
[email protected]
Password:
Merchandise08012021

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

A310logger Executable 4 IoCs

resource	yara_rule
behavioral1/memory/2564-86-0x00000000011D0000-0x0000000001282000-memory.dmp	a310logger
behavioral1/files/0x0009000000015677-84.dat	a310logger
behavioral1/files/0x0009000000015677-83.dat	a310logger
behavioral1/files/0x0009000000015677-81.dat	a310logger

Executes dropped EXE 1 IoCs

pid	Process
2564	Fox.exe

Loads dropped DLL 1 IoCs

pid	Process
2884	RegSvcs.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2836	powershell.exe
2600	powershell.exe
2756	powershell.exe
2212	74ccfbabd5376167c9e52c89c0478ec5.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2212	74ccfbabd5376167c9e52c89c0478ec5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2756	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	30
PID 2212 wrote to memory of 2756	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	30
PID 2212 wrote to memory of 2756	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	30
PID 2212 wrote to memory of 2756	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	30
PID 2212 wrote to memory of 2600	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	33
PID 2212 wrote to memory of 2600	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	33
PID 2212 wrote to memory of 2600	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	33
PID 2212 wrote to memory of 2600	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	33
PID 2212 wrote to memory of 2708	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	35
PID 2212 wrote to memory of 2708	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	35
PID 2212 wrote to memory of 2708	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	35
PID 2212 wrote to memory of 2708	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	35
PID 2212 wrote to memory of 2836	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	38
PID 2212 wrote to memory of 2836	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	38
PID 2212 wrote to memory of 2836	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	38
PID 2212 wrote to memory of 2836	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	38
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2212 wrote to memory of 2884	2212	74ccfbabd5376167c9e52c89c0478ec5.exe	36
PID 2884 wrote to memory of 2564	2884	RegSvcs.exe	39
PID 2884 wrote to memory of 2564	2884	RegSvcs.exe	39
PID 2884 wrote to memory of 2564	2884	RegSvcs.exe	39
PID 2884 wrote to memory of 2564	2884	RegSvcs.exe	39

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe
"C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\74ccfbabd5376167c9e52c89c0478ec5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFdYmdUOJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zFdYmdUOJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFF3.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zFdYmdUOJ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDFF3.tmp

Filesize
1KB

MD5
cdb8a143293a5e0599c2a7c820d1d5e7

SHA1
c050904992447774a1c67abe6445446d53d783ae

SHA256
8668b912545d51e38b4230c93e3da808368a7846176127c9c9ad6e4717dc6a07

SHA512
0adf975578901192927c7a45b34ce1dc0cab5f1790e4bd94b7571bfeaf0acfc6cfc58a342e6f4de348e13f22ce9e9eae14798d91c554fe852ba6fe619ed5614b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\0I8SIC~1.ZIP

Filesize
233KB

MD5
cd959135edb5995f9ea68a41edebddec

SHA1
0ee56f042af3f073f1df7c3bff94191b38ba0518

SHA256
ad7fdb5e4901c6430dab6a768f1997835feb8273a4d8cb5f53144b559e4cbe38

SHA512
58850223f80d2f7b89266117b576a415e339a5b0126964cda7bbca6bfd8ed9da8d17d6cf916304fac84f9aa1277cc14f541d329cc09c9500266546a1d1452ffe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H4P08BFNIRG26EIY99DV.temp

Filesize
7KB

MD5
194d9990edd15f10b242c8e62fc8c9fc

SHA1
61b64a7b519fc5bdaeb05889e5abf5e32f941763

SHA256
935ff80ba7325cc59be13ace0376470b9d7d7109fecb329428c0b7050decb6f7

SHA512
88e604d22c7d545ba787376bb6ebf2f3fb10c605736d085d1b8f9e333775558450edfcda7ba85b682fc845040b32079f092fb6d620f6275d07633623ee00065d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
173KB

MD5
8e33c8033ebcbc02088cca4e5f2c6dd7

SHA1
feb3bf4e7e83f24eda2dca77c289ab92aede9cc4

SHA256
60c8a42cc80481d057714b5d32bbaa3937c38c70303422d6d2993d2f9fae032d

SHA512
0e9673b68ef181fbb3c9d31362ec01b86ab54c5a5a50a415da42576845e1c33d2f44c11ab90eb05cf37d9c0431fb5a0e0ff3f4989a905a356e6df64eb81252fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
165KB

MD5
59ddb0f36868aa91d2f9d32a654c7e87

SHA1
e64bc8d5f6a80081566da214a46bbfb897276f56

SHA256
b99fd59bea78d231bdf24bb62e976e868012b2d663fe03a8585c43df91eb93ff

SHA512
61b585309f7cb075b843af75cc6474a4605f3eaeac4bfabe12e127b8bb6f228acdf57e4b0887d24b0298781cb658c152dbbf7e5768f92ded419af27b1ccd3656

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
190KB

MD5
0aefa051e98f26e3a1ad1e1c77c9ab0e

SHA1
4aa660ca2fe2a3b94d5f20a48e26aa53eef2ad73

SHA256
44ee3f4edfe1166579d539cc541c3ec8ef54dba029264eb76cc6e8ce4a73359b

SHA512
529c28b5ae6efc0989886d1f45c085dc4ef39459d941e00ce60761cf8b2041f7453becfd6deab83da2cfb33524836c8b84f9c002c50e28e5cf5856ced1f23dc5

Download Submit
memory/2212-3-0x0000000000550000-0x0000000000568000-memory.dmp

Filesize
96KB

Download
memory/2212-7-0x0000000005270000-0x00000000052D8000-memory.dmp

Filesize
416KB

Download
memory/2212-6-0x0000000005840000-0x0000000005914000-memory.dmp

Filesize
848KB

Download
memory/2212-5-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/2212-39-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-1-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-4-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/2212-0-0x0000000000060000-0x0000000000164000-memory.dmp

Filesize
1.0MB

Download
memory/2564-87-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-86-0x00000000011D0000-0x0000000001282000-memory.dmp

Filesize
712KB

Download
memory/2564-88-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/2564-90-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-36-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-51-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/2600-40-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/2600-79-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2600-43-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/2600-30-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-78-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-34-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/2756-32-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-42-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/2756-38-0x0000000002C10000-0x0000000002C50000-memory.dmp

Filesize
256KB

Download
memory/2756-37-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-49-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2836-45-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-46-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2836-85-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-48-0x000000006F610000-0x000000006FBBB000-memory.dmp

Filesize
5.7MB

Download
memory/2836-50-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/2884-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-41-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-20-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-27-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-60-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-22-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2884-91-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download