MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OnlyLogger


Vendor detections: 17


Intelligence 17 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
SHA3-384 hash: acdf145ba2de70522b9a326603cb6097c6e13f7bb0be1587c21945c1534f3987a791591280185d6103d0592493991805
SHA1 hash: 075e75325520e7da9b66e4c674d41d6814e9a73d
MD5 hash: bcbc5db2320794b24d29bd05271ddc61
humanhash: beryllium-bravo-arizona-fillet
File name:104FAE3C4DCF6339429A9242D76CEC45644E5B2E072FD.exe
Download: download sample
Signature OnlyLogger
Create hunting rule
File size:4'881'338 bytes
First seen:2022-03-07 10:55:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:ydjdfSjilPlnxU3WnmjIgJW/yfKsdOeX02zVHRQnZ01cgv4j:ybfSOlPlWI6C202ztv1LI
TLSH T1EA36334BA0D5D937E83E7E70FBF4D4668196A2114A27C457C7A64E263C723887C3A1BC
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter abuse_ch
Tags:exe OnlyLogger


Avatar
abuse_ch
OnlyLogger C2:
5.61.49.206:8880

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.61.49.206:8880 https://threatfox.abuse.ch/ioc/392760/

Intelligence

File Origin
# of uploads :
1
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
socelars
Create hunting rule
ID:
1
File name:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb.zip
Verdict:
Malicious activity
Analysis date:
2022-03-07 11:57:01 UTC
Tags:
evasion trojan socelars stealer loader
Link:
https://app.any.run/tasks/9b2e2714-c679-409d-9d1b-f1baf4225a6c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247877/
Detection(s):
Win.Packed.Barys-9859531-0
Create hunting rule

Win.Malware.Generic-9863888-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Sending a custom TCP request
Searching for synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Creating a window
Query of malicious DNS domain
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8475/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f794c6b7-f28d-4988-a918-1a7da0395c53
Result
Threat name:
Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/951751
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Socelars
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
Detection:
redlinestealer
Create hunting rule
Link:
https://mwdb.cert.pl/sample/104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb/
Threat name:
Win32.Trojan.Jaik
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 01:23:06 UTC
File Type:
PE (Exe)
Extracted files:
198
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cbh24pcnz5rtsqu2sjbno3hmivse4wzoa4x57igv6r34p3d6xt5q._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:djvu family:onlylogger family:redline family:smokeloader family:socelars family:vidar botnet:706 botnet:nanani botnet:ruzki (check bio) aspackv2 backdoor discovery evasion infostealer loader ransomware spyware stealer suricata themida trojan upx
Link:
https://tria.ge/reports/220307-m1ptwagdep/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Enumerates processes with tasklist
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
OnlyLogger Payload
Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
OnlyLogger
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.znsjis.top/
45.142.215.47:27643
https://petrenko96.tumblr.com/
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
http://fuyt.org/test3/get.php
103.133.111.182:44839
Unpacked files
SH256 hash:
894300eca1742f48ed61be1043d3cb9924e89522c24b0f01b7cceb261a1fa073
MD5 hash:
7c82c868054a4fc8a5f6337a55f8d82e
SHA1 hash:
279ef02de285cbaf873e1ac2794406baa1f84f19
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
02faa92f954bf58fa9100afc04fb66235fabc7e79f95e31d7e434c15d1eb59c7
MD5 hash:
79cf39ca158b21fdd29f2ed2263ec522
SHA1 hash:
f299e3d7567f69bc1e50f399f568cc29bb047a06
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
36d5afdcb0fa8d512656aa5a59f34018885bb1b9dd5cc0780766552809cfb45f
MD5 hash:
4f9c74430d72b9500a0d99cc28fc7a7e
SHA1 hash:
a67cf6a62a6cabec501aa2f14e97c48b71dbd97c
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
58548d835af3cd0b14ff1fad456a4654ab1c0d8b705aa4f3fee6c551a5c88702
MD5 hash:
379d88b03dc9b79a12ed23321c88ab0a
SHA1 hash:
f40a4f0011056a7f119cffddaa44beb3434f2e38
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
52587a260b384278c789b134c8f08d8af9997aedd818c3c6a280d00aaaa77d2d
MD5 hash:
2c509753fac93810c09574a8b56af1e4
SHA1 hash:
e53da7ff5a9cfc3bda21794d639ed1f02cd7a881
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
fbc75a565c0d1896171feb728d011c1a91c0d9548e0e529a76dcf0a6679d1f20
MD5 hash:
d9bdc8a637733704c3b25360ae0f8d07
SHA1 hash:
e40a87a4226f9f31ae9df39b61ed501f356c70b2
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
dc9ae515aa033430a4c755995cd83106b6c060aa2279662cc4a9d31558554558
MD5 hash:
5e5643b0685f6cb728bfddb9e4686149
SHA1 hash:
db9129babccdf8ea57dbfefe9736605c6fd20d03
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
2d7deb427ff5a10c522ad2f836f9714d1294ac03ecc7f19e52c85e00b16f1ac0
MD5 hash:
345b456e702648f640feafe9e43cdc96
SHA1 hash:
c551d69444bf5191f505b981e3702d6e53db5e3d
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
283691b42a673d524246a76531cf0bf40c17b0a415b2b9354635a91f8a6ede04
MD5 hash:
0ac78539771d109b0fd4d41080e93fcc
SHA1 hash:
c142346bf70d266b65e1c3ffdcfbcfe6a41a02f0
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
d25898f4e03bc39021a0343bbdacff41124c4df53a7ca016ba0283e243e59574
MD5 hash:
c24432e2194460be25fce45ed7ec3815
SHA1 hash:
b03ccbffbddb5221b943f55e0d45da751800454e
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
d4422d3174fbfa10bf2a5886cdc1cc37baea4e325950fcf92b9eb73cba728270
MD5 hash:
5db4276eb2315a08be9b3d203beb8f4d
SHA1 hash:
930b0f80513fa6be081f51fd2f9151bf8306a635
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
c3fdcdf14187e336a9ad59a000e6e94e4db063a28243830243f79b2e9ba495ba
MD5 hash:
148629a3661dc6f306ca083a25a2004a
SHA1 hash:
7d8814aaf464d486bf95da30f28dcc288520cc4a
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
bfcec33dec1d8e2289b5cd2c9ba575b9afbc313ccc6c7870254ed916f53c7cf1
MD5 hash:
09ddadc12942f17fe197a995fd6ccb1d
SHA1 hash:
73d51ea908020a6808c789dda877f11c8acbf47f
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
1e50bead67a29eaeec16eb7f67ae9624e2e117c21838753b339f8dedcc1d0819
MD5 hash:
34a48b5bb71c3e586ab70823760ab20a
SHA1 hash:
4a2a5053f44be79b897a9c126befbdf32df5c4d3
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
84339f838e53229b9dfc4b0475a4f04e735ae2316ca68c4e1162eb10ebb77ae0
MD5 hash:
2755c201501d5e698f174390180fd1fe
SHA1 hash:
111aa3a35203142031c57f56e8a01695eedb60cc
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
0fbd853a669d4590b44cda0525f41aa99175133be439db7ca9cd575a2af2636b
MD5 hash:
bb4e4f419dbe419d5cdca7e8534ac023
SHA1 hash:
cdacd0ad82dcefa585734e751b1cea42161a9033
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
38046382500f1739883d2c53639ffbc5756843da7574fe3e6820724f522958e2
MD5 hash:
33600475b2cc5445df2d3809c3798311
SHA1 hash:
3cb60432de30b82e87b8b607e0180a7843128b5a
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
Parent samples :
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
e96f083ab18199d6a745b0fb3a8852b863b94a906664570198c8277abe4195c6
a412840c44db8bca039ce13176d7d6b9be9b2cbd1ef81eb85cd2f0c9180f6511
bf9714f60c2b4b43cc0383b3155d9c737271916032051df041fed54d34f7c765
2c3382e9eb5bbbfe86a88f9d8a75557c3f60707af088ce5f1283ee7a33cc3fbf
a3f0b643265e9895b3291658516ce2b34eb06d585bd8ea77fd61fda26917e0d9
5c97c35e6537283493bbfcd8fa178157898e6d266a36eadb9ab23bbcef613efc
SH256 hash:
675a3318ea77c7e164e0fcf150a35bb645d080edcabea8ba240a5895878794b1
MD5 hash:
5cf305c460fbd10f292d0c743bc26fce
SHA1 hash:
6bbcb8d1ed3e26055ab885caffd5ed2def54590c
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
91d0640678b8089c6bdbe5be53c36f856c7849ba796f2822c32788ab653358f6
MD5 hash:
9683a43ab09005e5b378fa62e0978a03
SHA1 hash:
434fb390bf4f80e2b94ac3f398192aef3c6cbec3
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
621209f097923b4f586d81b9613d99b7a9c83526dea0d6da6e8f22228fedc5ff
MD5 hash:
7459fd939483b10b2b0b8d846ed5a743
SHA1 hash:
aadc0757f7f2affc83518dce73038495dd231390
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
58880b297bb53aa8d988011d5bef20dd73a45a9147bf5cf2192973482c5c05ea
MD5 hash:
c8cdc0f2aef4c040ffd53704c43221ca
SHA1 hash:
45d3d43552199069822ecd674064c7e7b32edc03
Detections:
win_socelars_auto
Create hunting rule
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
bf21ef9940de628e95937b2bb947e1d7f073067792ba9a84b8258ee401ea36f3
MD5 hash:
28f45bd873af5a0fdb76d83f94087a12
SHA1 hash:
3bf2629f8888e1a201c78657740ed9eac23142b6
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
SH256 hash:
104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb
MD5 hash:
bcbc5db2320794b24d29bd05271ddc61
SHA1 hash:
075e75325520e7da9b66e4c674d41d6814e9a73d
Link:
https://www.unpac.me/results/532cb7af-adf4-4312-bf8f-146895798615/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/104fae3c4dcf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/104fae3c4dcf6339429a9242d76cec45644e5b2e072fdfa0d5f477c7ec7ebcfb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/247877/

Comments