onlylogger

General

Target

3c4720ecca1047160051947e306a5ea9ae42527f6a4e61be13cd7abb297d0305
Size

3.0MB
Sample

220311-a3lh1sggbj
MD5

6873332660c873dc600beb80ac3ade60
SHA1

6bb6ea549e40fea9609d51401393674976b2fb73
SHA256

3c4720ecca1047160051947e306a5ea9ae42527f6a4e61be13cd7abb297d0305
SHA512

23e95b6255bd55eedb68b4905b0feb4c5feb49d8551c57ce31b9c2ef64160982462d500389c7137a7441073601a289e1d55b285f5bee729d8deefb126cbc4035

Score

10^/10

Malware Config

Extracted

Family

redline

Botnet

dadad123

C2

86.107.197.196:63065

Attributes

auth_value
dd4834614a3ac04a7b90791c224626a2

Targets

- Target
  
  3c4720ecca1047160051947e306a5ea9ae42527f6a4e61be13cd7abb297d0305
- Size
  
  3.0MB
- MD5
  
  6873332660c873dc600beb80ac3ade60
- SHA1
  
  6bb6ea549e40fea9609d51401393674976b2fb73
- SHA256
  
  3c4720ecca1047160051947e306a5ea9ae42527f6a4e61be13cd7abb297d0305
- SHA512
  
  23e95b6255bd55eedb68b4905b0feb4c5feb49d8551c57ce31b9c2ef64160982462d500389c7137a7441073601a289e1d55b285f5bee729d8deefb126cbc4035
Score

10^/10

onlylogger redline vidar dadad123 aspackv2 evasion infostealer loader persistence spyware stealer suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- OnlyLogger Payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2