onlylogger

General

Target

7604026134.zip
Size

7.8MB
Sample

220616-st4x4sfgaj
MD5

71e9cec324b1edd57fa98922080a885d
SHA1

091d93d068ba6d59b57d2207a11993490aef675a
SHA256

f422f02b34cc844eaa1bc335774f22e5123d4137f241d3391a9eb6d06c5e508e
SHA512

9991b646abf6caafa152525ea1df743e35afd49edcbaac498a16e2f6cd04f3bcda86cb01c31f3e487c7fec60c8c7b3023a4965551a1161a8e79d62268ff47144

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

raccoon

Botnet

164fb74855c13a4287d8fe7ac579a35bdf7002ab

Attributes

url4cnc
http://194.180.174.53/takecareandkeepitup
http://91.219.236.18/takecareandkeepitup
http://194.180.174.41/takecareandkeepitup
http://91.219.236.148/takecareandkeepitup
https://t.me/takecareandkeepitup

rc4.plain

Extracted

Family

redline

Botnet

media19n

C2

65.108.69.168:13293

Attributes

auth_value
d6d1029ee103315c8e2d6f15b37e84fc

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Attributes

auth_value
54df5250af9cbc5099c3e1e6f9e897c0

Targets

- Target
  
  03d1d38ead27924e7f657e613ae2c7da3634c981da75db907c0276169576d0c3
- Size
  
  7.8MB
- MD5
  
  f83d930e054893b0540db650e028df39
- SHA1
  
  2e55b5e29d47cd3c17d6031a011ce9ee933e1218
- SHA256
  
  03d1d38ead27924e7f657e613ae2c7da3634c981da75db907c0276169576d0c3
- SHA512
  
  859f10d13beb055e515a60503c06611ed24c9c72e32c07c6b4d6ba8d3d700b5675ab86339196ef273283e76ea4b37ee8b86c197fc483156b5cf90325b1e7541d
Score

10^/10

onlylogger raccoon redline socelars 164fb74855c13a4287d8fe7ac579a35bdf7002ab media19n aspackv2 infostealer loader stealer suricata upx v3user1 persistence spyware
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
  suricata
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- OnlyLogger Payload
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Suspicious use of SetThreadContext
behavioral1 behavioral2