onlylogger

General

Target

3da73ebe3f5ed7605d5d4675c9537dbceb09c72975efe18890d9c929231febb7
Size

6.7MB
Sample

220701-sj9evahefq
MD5

a8f9047cc84b4d10fc44debdddccd78d
SHA1

363d78bb74d6d7c863e463608a47570c32563b7f
SHA256

3da73ebe3f5ed7605d5d4675c9537dbceb09c72975efe18890d9c929231febb7
SHA512

022ec28ae9ee9124896c556ff9db6560ea17179bec4ad6b3de487c04758962a96f904a8f9c0d7f59fe5452775b798c7278a8cca2293dad5ea4534c3c8fe3d62e

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

41.5

Botnet

933

C2

https://mas.to/@xeroxxx

Attributes

profile_id
933

Targets

- Target
  
  3da73ebe3f5ed7605d5d4675c9537dbceb09c72975efe18890d9c929231febb7
- Size
  
  6.7MB
- MD5
  
  a8f9047cc84b4d10fc44debdddccd78d
- SHA1
  
  363d78bb74d6d7c863e463608a47570c32563b7f
- SHA256
  
  3da73ebe3f5ed7605d5d4675c9537dbceb09c72975efe18890d9c929231febb7
- SHA512
  
  022ec28ae9ee9124896c556ff9db6560ea17179bec4ad6b3de487c04758962a96f904a8f9c0d7f59fe5452775b798c7278a8cca2293dad5ea4534c3c8fe3d62e
Score

10^/10

onlylogger vidar 933 loader spyware stealer suricata
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- OnlyLogger Payload
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2