onlylogger

General

Target

a53558362da836cb34eb0e4ce796167f.exe
Size

7.4MB
Sample

220130-mgjhraafe3
MD5

a53558362da836cb34eb0e4ce796167f
SHA1

39378ecfb484426c8347e7dc0e150a36c16a4ed0
SHA256

ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e
SHA512

bd0bd58d3f4f91ec6fc8bc616eb1cfbd1d65afb1ca093091e3f29afb598590051021d3ad9f2da201e045ca6457c401650c8f1f8308c2b250e36d3b9a410d7278

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Extracted

Family

redline

Botnet

Update

C2

185.215.113.10:39759

Extracted

Family

redline

Botnet

20kProfessor2

C2

157.90.17.156:56409

Extracted

Family

redline

Botnet

media262231

C2

92.255.57.115:11841

Extracted

Family

redline

Botnet

newmast2

C2

169.197.141.182:47320

Extracted

Family

smokeloader

Version

2020

C2

http://abpa.at/upload/

http://emaratghajari.com/upload/

http://d7qw.cn/upload/

http://alumik-group.ru/upload/

http://zamkikurgan.ru/upload/

rc4.i32

Targets

- Target
  
  a53558362da836cb34eb0e4ce796167f.exe
- Size
  
  7.4MB
- MD5
  
  a53558362da836cb34eb0e4ce796167f
- SHA1
  
  39378ecfb484426c8347e7dc0e150a36c16a4ed0
- SHA256
  
  ad8da7f38644aa54c0983c703436a872daecd353e1470e831aa209e0b37f837e
- SHA512
  
  bd0bd58d3f4f91ec6fc8bc616eb1cfbd1d65afb1ca093091e3f29afb598590051021d3ad9f2da201e045ca6457c401650c8f1f8308c2b250e36d3b9a410d7278
Score

10^/10

onlylogger redline socelars 20kprofessor2 media262231 update aspackv2 discovery infostealer loader persistence spyware stealer smokeloader newmast2 backdoor trojan upx
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- OnlyLogger Payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2