onlylogger

Sharing

Copy URL

Twitter E-mail

General

Target

fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
Size

4.0MB
Sample

220315-q7jg8aaefl
MD5

119440585a9c8d2ba603cfdf0f1a7375
SHA1

99e1bd46fd1673470608774a6171f5db7323a6dc
SHA256

fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
SHA512

737dd237f7b0aaa5941107d250faf734999c2d28ee6e49dd82f9f0d84fe4f8c87c7f17fa4c63dc675e690644e2f0b287e5496083befe1d6427e1b98df4234f72

Malware Config

Extracted

Family

redline

Botnet

DomAni

varinnitof.xyz:80

Extracted

Family

redline

Botnet

da da

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Extracted

Family

redline

Botnet

nam11

103.133.111.182:44839

Attributes

auth_value
aa901213c47adf1c4bbe06384de2a9ab

Extracted

Family

redline

Botnet

ruzki14_03

176.122.23.55:11768

Attributes

auth_value
13b742acfe493b01c5301781c98d3fbe

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

filinnn1

5.45.77.29:2495

Attributes

auth_value
da347df57c88b125ede510dbe7fcc0f4

Extracted

Family

redline

Botnet

GLO1503

144.76.173.68:16125

Attributes

auth_value
3338ae9cd5608d5f60db27601c9ac727

Targets

- Target
  
  fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
- Size
  
  4.0MB
- MD5
  
  119440585a9c8d2ba603cfdf0f1a7375
- SHA1
  
  99e1bd46fd1673470608774a6171f5db7323a6dc
- SHA256
  
  fb55add55db0e0f7b9e63dd1d70bdc318b2a0e725e069a00ae8685d60a044e0b
- SHA512
  
  737dd237f7b0aaa5941107d250faf734999c2d28ee6e49dd82f9f0d84fe4f8c87c7f17fa4c63dc675e690644e2f0b287e5496083befe1d6427e1b98df4234f72
Score

10^/10

redline domani aspackv2 infostealer persistence spyware stealer upx onlylogger vidar da da filinnn1 glo1503 nam11 ruz876 ruzki14_03 discovery evasion loader suricata trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Nirsoft
- OnlyLogger Payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

UAC bypass

Vidar

Windows security bypass

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Nirsoft

OnlyLogger Payload

Vidar Stealer

ASPack v2.12-2.42

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Windows security modification

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2