onlylogger

General

Target

b38f807fc02e26c295c37f41f448352e.exe
Size

6.9MB
Sample

220130-hj7wxahcc9
MD5

b38f807fc02e26c295c37f41f448352e
SHA1

afb5b26b9409cf228e12bfa3f4a63c64ca9949cb
SHA256

001a5a474bbbd8f905626617e612861e7f1de5286b009960c0deefbf06508723
SHA512

58aa86dfb92d59c0afcfc6030304043b64240c65c7757eca0884bedcc37cbad429d2de1a373f30abb827abca11c3c4dc08e4c5fccec1f1e4a4a1bfe9157629f3

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

Extracted

Family

redline

Botnet

buildnewmast

C2

109.107.188.167:37171

Extracted

Family

redline

Botnet

media262231

C2

92.255.57.115:11841

Extracted

Family

redline

Botnet

20kProfessor2

C2

157.90.17.156:56409

Targets

- Target
  
  b38f807fc02e26c295c37f41f448352e.exe
- Size
  
  6.9MB
- MD5
  
  b38f807fc02e26c295c37f41f448352e
- SHA1
  
  afb5b26b9409cf228e12bfa3f4a63c64ca9949cb
- SHA256
  
  001a5a474bbbd8f905626617e612861e7f1de5286b009960c0deefbf06508723
- SHA512
  
  58aa86dfb92d59c0afcfc6030304043b64240c65c7757eca0884bedcc37cbad429d2de1a373f30abb827abca11c3c4dc08e4c5fccec1f1e4a4a1bfe9157629f3
Score

10^/10

onlylogger smokeloader socelars aspackv2 backdoor loader stealer trojan redline 20kprofessor2 buildnewmast media262231 discovery infostealer persistence spyware upx
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateProcessExOtherParentProcess
- OnlyLogger Payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2