onlylogger

Sharing

General

Target

d31de02b5f962de2238544c454be3d8a.exe
Size

139KB
Sample

220331-nm94bsbbh8
MD5

d31de02b5f962de2238544c454be3d8a
SHA1

ed2c92e0eb1aed02ed6a471b7b51a2e049771c67
SHA256

d012e723b1fe4143b4fc37a45a41718ee2a3e13c333fb51e0e2bdb0653e5da96
SHA512

869b7d64f24ba04bc49e6df6b2aa61ede65ca4c2c94075f0c39c95230d528c86b969f911beb1956ae8d7dfa1973647c0eb2c61523285ad4f8820016fb26b07a6

Score

10^/10

Malware Config

Extracted

Family

warzonerat

108.170.60.184:5200

Extracted

Family

redline

Botnet

rrr

46.8.19.115:7225

Attributes

auth_value
ee6604d0530215d1c747f04e49b3c531

Extracted

Family

redline

Botnet

ruzki28_03

176.122.23.55:11768

Attributes

auth_value
22cdac7fdda98bfe74c28402ce2ddc18

Extracted

Family

redline

Botnet

nam33

103.133.111.182:44839

Attributes

auth_value
8b278c0f8c2de9225b1633fa0e83ddce

Extracted

Family

redline

193.106.191.253:4752

Attributes

auth_value
ec8cbe4ac27e8d5a62e72c4281063258

Extracted

Family

redline

Botnet

RUZK

91.243.59.45:34762

Attributes

auth_value
8c76f33e1a37a1142ff1a265063ec892

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.66:26416

Attributes

auth_value
5aab3b27575b218cc78165f1b5c607a0

Targets

- Target
  
  d31de02b5f962de2238544c454be3d8a.exe
- Size
  
  139KB
- MD5
  
  d31de02b5f962de2238544c454be3d8a
- SHA1
  
  ed2c92e0eb1aed02ed6a471b7b51a2e049771c67
- SHA256
  
  d012e723b1fe4143b4fc37a45a41718ee2a3e13c333fb51e0e2bdb0653e5da96
- SHA512
  
  869b7d64f24ba04bc49e6df6b2aa61ede65ca4c2c94075f0c39c95230d528c86b969f911beb1956ae8d7dfa1973647c0eb2c61523285ad4f8820016fb26b07a6
Score

10^/10

evasion spyware stealer trojan onlylogger redline warzonerat @ywqmre nam33 rrr ruzk ruzki28_03 infostealer loader rat themida upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- OnlyLogger Payload
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine Payload

WarzoneRat, AveMaria

OnlyLogger Payload

Downloads MZ/PE file

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2