onlylogger

Target

setup_x86_x64_install.zip
Size

6.2MB
Sample

220320-l64pjscaen
MD5

3569ac6e04296e88444d7ecf799c71b7
SHA1

79a7f1e0fed008058afa803bdcf3172379808309
SHA256

1cb6869826cf5ea749658c7622c8b4ecbcbb5c5e167ebc6623a01a0e0483e0f7
SHA512

3de27b865db8ae753ca012771c71ca5e49e83aa4ebbac339938f722cb04c276a09925c759e0eaacaa842e69fb90ec7fb23e77a6411d2b1bc9d0f7b352f8091c8

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

ANI

45.142.215.47:27643

Extracted

Family

vidar

Version

40.6

Botnet

706

https://dimonbk83.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

bomji1234

86.107.197.196:63065

Attributes

auth_value
c1142ca8af2e545509032e96c9bc48d7

Targets

- Target
  
  setup_x86_x64_install.exe
- Size
  
  6.2MB
- MD5
  
  d2f0cfac1c354f041c7b243f3df94d0a
- SHA1
  
  dfc03d06e799018485dc2dd72f997a0fef3d83a1
- SHA256
  
  3faadb2356253a3c76b42691c13dd3c05b0df75fbf543041bd7afc478b9a838c
- SHA512
  
  ed4b434001a16e0d81d59a5be9a26d31be8fb518ddc9e98dd22ca031761ab88ec9d4d479f11b2c0febfb90960061159836c806952d9e0c5cf9239654a5b7e6d6
Score

10^/10

onlylogger redline smokeloader socelars vidar 706 ani bomji1234 aspackv2 backdoor collection discovery evasion infostealer loader persistence spyware stealer suricata trojan vmprotect
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
  suricata
- OnlyLogger Payload
- Vidar Stealer
  stealer
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1