a310logger | 038b5ec90419cc38dcfc837ec372f5abbf49b3903501c11b5e3ee8bffc749755

Resubmissions

26-01-2025 23:45

250126-3r38xazkex 10

21-07-2021 16:43

210721-92llwasgkj 10

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-01-2025 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT000900_989990.exe
Size

894KB
MD5

f343cb0399d345b279de6d50d99f4be9
SHA1

6983c9557f3ab79b9a78f069599080d6988fd0c1
SHA256

451e257b591ad6beacf73a6ff2dc67942fa68cdd453da2784e084d790e66d3df
SHA512

109ab328298c9945aafabe0c306b4ba4534171e40d7ef966ed5e5e14fcc4a87d3ebbc3ff4800fd42fcc78c2d9211b37d37461538f8c79ee3e79fdd5fc429fb19
SSDEEP

12288:BjO5fIDWxzzaaIUGQ44wgdPkp7XLPtdnTJKQiP4Uh+4ryD5exR0xknr5eVLdCmfq:BCO7oUsP2myXx+iKvrG

Score

10^/10

a310logger stormkitty collection discovery spyware stealer

Malware Config

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
A310logger family
a310logger
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral4/memory/1108-16-0x0000000000400000-0x0000000000418000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

A310logger Executable 2 IoCs

resource	yara_rule
behavioral4/memory/1108-16-0x0000000000400000-0x0000000000418000-memory.dmp	a310logger
behavioral4/files/0x001900000002ab4f-24.dat	a310logger

Executes dropped EXE 3 IoCs

pid	Process
2448	MZ.exe
852	MZ.exe
3060	MZ.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3320 set thread context of 1644	3320	TT000900_989990.exe	77
PID 1644 set thread context of 1108	1644	TT000900_989990.exe	78
PID 1644 set thread context of 980	1644	TT000900_989990.exe	81
PID 1644 set thread context of 2488	1644	TT000900_989990.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TT000900_989990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TT000900_989990.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2448	MZ.exe
2448	MZ.exe
852	MZ.exe
852	MZ.exe
3060	MZ.exe
3060	MZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1644	TT000900_989990.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	InstallUtil.exe
Token: SeDebugPrivilege	2448	MZ.exe
Token: SeDebugPrivilege	980	InstallUtil.exe
Token: SeDebugPrivilege	852	MZ.exe
Token: SeDebugPrivilege	2488	InstallUtil.exe
Token: SeDebugPrivilege	3060	MZ.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1644	TT000900_989990.exe
1644	TT000900_989990.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 3320 wrote to memory of 1644	3320	TT000900_989990.exe	77
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1644 wrote to memory of 1108	1644	TT000900_989990.exe	78
PID 1108 wrote to memory of 2448	1108	InstallUtil.exe	80
PID 1108 wrote to memory of 2448	1108	InstallUtil.exe	80
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 1644 wrote to memory of 980	1644	TT000900_989990.exe	81
PID 980 wrote to memory of 852	980	InstallUtil.exe	82
PID 980 wrote to memory of 852	980	InstallUtil.exe	82
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 1644 wrote to memory of 2488	1644	TT000900_989990.exe	83
PID 2488 wrote to memory of 3060	2488	InstallUtil.exe	84
PID 2488 wrote to memory of 3060	2488	InstallUtil.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\TT000900_989990.exe
"C:\Users\Admin\AppData\Local\Temp\TT000900_989990.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\Temp\TT000900_989990.exe
  "C:\Users\Admin\AppData\Local\Temp\TT000900_989990.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - outlook_office_path
    - outlook_win_path
    PID:2488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\MZ.exe.log

Filesize
128B

MD5
76e55a6c86e00454ec1457cd9698a6e2

SHA1
47554d28b3c6f8bc1e678737baca2217636d3d63

SHA256
d84cc7a4e4e8795d96d828faeed9528db5457651fad868bb7266690842dc2734

SHA512
03b3aa1b4adb47db04be717071ca7ed4ef653e07e57e0b106026f60340e738bac895901d5073beba3b21080195db9581cce9039d56ee028a02415a3d72d01dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log

Filesize
496B

MD5
b83a52aaa86f4b5af8f06033f69d637a

SHA1
91e7b8b8bc91e068cd3bec2d128c423178d43330

SHA256
3d533b813b8d2320c8581409acf08367384101fdab50259bbc1563d2c03e07d9

SHA512
ae4bf29a161e2d8ca9f71ace0c0bf9ba4ac88c6c44554f14cefac9209d076c6bc3c273a0bb8a4eb7ad0917762e33e0cc64794925f6872e5b485c21da4f9c3a5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe

Filesize
20KB

MD5
1bad0cbd09b05a21157d8255dc801778

SHA1
ff284bba12f011b72e20d4c9537d6c455cdbf228

SHA256
218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9

SHA512
4fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533

Download Submit
memory/1108-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1108-35-0x0000000074210000-0x00000000747C1000-memory.dmp

Filesize
5.7MB

Download
memory/1108-19-0x0000000074210000-0x00000000747C1000-memory.dmp

Filesize
5.7MB

Download
memory/1108-18-0x0000000074210000-0x00000000747C1000-memory.dmp

Filesize
5.7MB

Download
memory/1108-17-0x0000000074211000-0x0000000074212000-memory.dmp

Filesize
4KB

Download
memory/1644-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1644-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1644-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3320-5-0x0000000004C20000-0x0000000004C98000-memory.dmp

Filesize
480KB

Download
memory/3320-8-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/3320-7-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/3320-6-0x0000000005310000-0x00000000058B6000-memory.dmp

Filesize
5.6MB

Download
memory/3320-9-0x0000000004D10000-0x0000000004D26000-memory.dmp

Filesize
88KB

Download
memory/3320-4-0x0000000004B30000-0x0000000004B4E000-memory.dmp

Filesize
120KB

Download
memory/3320-3-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/3320-36-0x0000000074930000-0x00000000750E1000-memory.dmp

Filesize
7.7MB

Download
memory/3320-0-0x000000007493E000-0x000000007493F000-memory.dmp

Filesize
4KB

Download
memory/3320-2-0x0000000004B60000-0x0000000004BD6000-memory.dmp

Filesize
472KB

Download
memory/3320-1-0x0000000000040000-0x0000000000124000-memory.dmp

Filesize
912KB

Download