onlylogger

General

Target

56f5585c09e1c239cf84ef6bf74beeb1b763c4cc67fa300c9d3f91812c20c7c1
Size

4.0MB
Sample

220310-vjzxhsccbq
MD5

6213ad4d6a0ae688530efee618a302b3
SHA1

dfee973744a7fea024967e8f8a8ee72c60018694
SHA256

56f5585c09e1c239cf84ef6bf74beeb1b763c4cc67fa300c9d3f91812c20c7c1
SHA512

cd30d36c0d5e12fe5a28c64494789cb8a5d76c2907e38d8c8ab2fe7376f6f5ca23eb8734004034752616916be00450e847167625745f95c8e38dd01e7376edfe

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

DomAni

C2

varinnitof.xyz:80

Extracted

Family

redline

Botnet

dadad123

C2

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Extracted

Family

vidar

Version

50.6

Botnet

937

C2

https://mas.to/@s4msalo

https://koyu.space/@samsa2l

Attributes

profile_id
937

Targets

- Target
  
  56f5585c09e1c239cf84ef6bf74beeb1b763c4cc67fa300c9d3f91812c20c7c1
- Size
  
  4.0MB
- MD5
  
  6213ad4d6a0ae688530efee618a302b3
- SHA1
  
  dfee973744a7fea024967e8f8a8ee72c60018694
- SHA256
  
  56f5585c09e1c239cf84ef6bf74beeb1b763c4cc67fa300c9d3f91812c20c7c1
- SHA512
  
  cd30d36c0d5e12fe5a28c64494789cb8a5d76c2907e38d8c8ab2fe7376f6f5ca23eb8734004034752616916be00450e847167625745f95c8e38dd01e7376edfe
Score

10^/10

onlylogger redline vidar 937 dadad123 domani aspackv2 evasion infostealer loader persistence spyware stealer suricata trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- OnlyLogger Payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2