onlylogger | 0b9666aa27ef229d6c52ff5243bca7e0adbfd0c086a0f919ea1edcdcd06b95cb

General

Target

new.exe
Size

749KB
MD5

57e584e029832148a60af9bad5fb87ea
SHA1

58e680b15d034dfb98352dc03e5060be1fbb62b4
SHA256

0b9666aa27ef229d6c52ff5243bca7e0adbfd0c086a0f919ea1edcdcd06b95cb
SHA512

a6b4b6170d4a5e7e8924026add27fc2d19292601d250b1141ee85008e35a28b155e547cbdb39217285f9dcf6053fd1e8b2388237c84332dcb1ae4e7234937832

Score

10^/10

onlylogger loader

Malware Config

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

OnlyLogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-131-0x0000000000B40000-0x0000000000B6D000-memory.dmp	family_onlylogger
behavioral1/memory/2708-132-0x0000000000400000-0x00000000008A8000-memory.dmp	family_onlylogger
behavioral1/memory/2708-134-0x0000000000B40000-0x0000000000B6D000-memory.dmp	family_onlylogger

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1996	2708	WerFault.exe	new.exe
5076	2708	WerFault.exe	new.exe
4544	2708	WerFault.exe	new.exe
3384	2708	WerFault.exe	new.exe
3856	2708	WerFault.exe	new.exe
2244	2708	WerFault.exe	new.exe
384	2708	WerFault.exe	new.exe
3460	2708	WerFault.exe	new.exe
4432	2708	WerFault.exe	new.exe

C:\Users\Admin\AppData\Local\Temp\new.exe
"C:\Users\Admin\AppData\Local\Temp\new.exe"
1⤵
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 620
2⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 632
2⤵
- Program crash
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 748
2⤵
- Program crash
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 748
2⤵
- Program crash
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 812
2⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 840
2⤵
- Program crash
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 1536
2⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 8112
2⤵
- Program crash
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 9040
2⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2708 -ip 2708
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2708 -ip 2708
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2708 -ip 2708
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2708 -ip 2708
1⤵
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2708 -ip 2708
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2708 -ip 2708
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2708 -ip 2708
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2708 -ip 2708
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2708 -ip 2708
1⤵
PID:1176

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2708-130-0x0000000000B89000-0x0000000000BA4000-memory.dmp

Filesize
108KB

Download
memory/2708-131-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download
memory/2708-132-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/2708-133-0x0000000000B89000-0x0000000000BA4000-memory.dmp

Filesize
108KB

Download
memory/2708-134-0x0000000000B40000-0x0000000000B6D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing