Overview

overview

10

Static

static

10

Onyx-Logge...78.exe

windows11-21h2-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Onyx-Logger-main.zip

  • Size

    17.5MB

  • Sample

    240824-yf2hqaxfrk

  • MD5

    ae458e186325799281c8e0f5eeba5912

  • SHA1

    0066826c8c753f3e93b60ee77aa67e080e132f42

  • SHA256

    92d56998ac6629387aeca0b26fad02ed0c86a17eb48069909364f35094313ae6

  • SHA512

    60136a9d3b8910195656573dba47ce31ff52c2b160fb08b456ca9f324ad82ad49106c2fd7ae4fd3c771b201d84ff22953769e647766eedb23f3710e82da8a766

  • SSDEEP

    393216:+civjNVbRDXlUFgqk7Q+1wEDR+z7gqzQwuy3PMV8P:YvZVbRlq3Kug/+3kM

Score
10/10
empyreancredential_accessdiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Onyx-Logger-main/OnyxBuilder V1.78.exe

    • Size

      17.7MB

    • MD5

      7e8387af6f8a12af2bbbbe1730c50a39

    • SHA1

      be2d34442d5a8da70220d3069b7da8487485b6c5

    • SHA256

      2e45b0103cac8ae1f985ca094d3ebf930c8e7abe475ebe53345d04f0f6390df8

    • SHA512

      d9d91bff6a8b387d882f31dac80bcdb42b01fc4a26e0de6ede0d89a9cbbea49dc3e8c3700a5bbbf67603751af533e1160d31a89b370ad2bcef63d72acd56d67b

    • SSDEEP

      393216:FqPnLFXlrTgQpDOETgsvfGA5gjMvEVzx0qLd:8PLFXNMQoEZmln7

    Score
    9/10
    credential_accessdiscoverypersistenceprivilege_escalationspywarestealerupx

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks