onlylogger

General

Target

7555476121.zip
Size

6.9MB
Sample

220609-z92w1scchj
MD5

3fbac86ed0aa4fe2aab4e62748550746
SHA1

64b0e33dd3dca744e0ac48b70b17ccaae8e71619
SHA256

2fc7d93dc85c813ecf2157ef43e53845ad46343b17ec0648f55101a8330005d6
SHA512

25437b69fefcfc4f988130abf6334ab52d871f3f608684cf59a6cc005cb4b642e68b8180ea20a569bcca8aa0aa3558c070be2643a3b279a90054de23fa4fb8af

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.anquyebt.com/

Extracted

Family

redline

Botnet

media262231

C2

92.255.57.115:11841

Attributes

auth_value
5e0e6c3491655e18f0126b2b32773d57

Targets

- Target
  
  174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e
- Size
  
  6.9MB
- MD5
  
  2db59bc805ebb1b8b1a947b15684e899
- SHA1
  
  97e2beaa6bcddf9b27a1175352a85fc769d88597
- SHA256
  
  174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e
- SHA512
  
  e3849f480698c82229f49914d0cfb3dd2d836e492f2eaea3f26170a12d08cc591aaf17efb0798d75456997ef846d5180653549268925afcdefdb4bbd17229e46
Score

10^/10

onlylogger redline socelars media262231 aspackv2 discovery infostealer loader persistence spyware stealer suricata upx
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- OnlyLogger Payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2