MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OnlyLogger


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123
SHA3-384 hash: 24ca070066def4effc4171a6f3ce4b4de54190ca68dd7797b1783266ee3bca9e30d4c282b84677066ff67e32595786ae
SHA1 hash: 5bcd208738d38b77330768855e6848be2fbfeca5
MD5 hash: d9275c6f500003801eddde52aec4a2e2
humanhash: salami-tennis-apart-hotel
File name:d9275c6f500003801eddde52aec4a2e2.exe
Download: download sample
Signature OnlyLogger
Create hunting rule
File size:370'176 bytes
First seen:2022-01-19 18:40:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f5a73f569a7ecfc597014c98e801b4fb (3 x RedLineStealer, 1 x OnlyLogger, 1 x Smoke Loader)
ssdeep 6144:gLYGxSuVs5rWUQ8n3od3i5P4IJevBpS9S:nGxSuS5rWUV5P4ZB49S
Threatray 2'837 similar samples on MalwareBazaar
TLSH T14E74E1307AD0D432C49625314926CFAC9A7DFC706A65860377A83B6E7F713C0966632F
File icon (PE):PE icon
dhash icon fcfcb4b4b4d4d9c1 (24 x RedLineStealer, 10 x Smoke Loader, 4 x RaccoonStealer)
Reporter abuse_ch
Tags:exe OnlyLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d9275c6f500003801eddde52aec4a2e2.exe
Verdict:
Malicious activity
Analysis date:
2022-01-20 03:05:37 UTC
Tags:
evasion trojan loader miner tofsee
Link:
https://app.any.run/tasks/f1c601ba-a649-4760-a1f8-6094b293357e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220769/
Detection(s):
Win.Trojan.Generic-9935605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4783/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e85b1bd32385db6309fa8b/reports/374577d1-9119-4af0-acaf-7df53e63ee8d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923775
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected onlyLogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123/
Threat name:
Win32.Trojan.Raccrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 18:40:27 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnxj7aghq7rdp44wonpurm5czsxkxzxfywlgsoru47fxu65u2erq._file
Verdict:
malicious
Similar samples:
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
OnlyLogger
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
OnlyLogger
348ab54ce50b8b060f3b9034df308e74101d903fead0c7d7e958cefe4e08272d
OnlyLogger
7aa869ed7e51f0f08553fd4a6c23048208674fec8cb8c715b4ed7ba6e43b0f54
OnlyLogger
92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb
OnlyLogger
99ec7781fd51a626adc7c22fe67363568d3a6f6cbe9b2163d920da8b4123a28c
OnlyLogger
d06e9b26713ef8cb240b46a94b545ecdc40e811d6c520f7fa0d837d94e2a53fc
OnlyLogger
de48d965a36d69bebdc619ea20d384966bf6fee1e4ea7068a6894c4ff5629683
OnlyLogger
f12e6cd63a8d0c79621de6f617a1d5d58a811bc5e9a5798aa7fdb2b6fc067971
OnlyLogger
+ 2'827 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220119-xbbk3acdd5/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
autoit_exe
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
7e29b63ab30fbf3dcf1dafd9963d435f3144be3b7947aec9507e6198306a8ebf
MD5 hash:
0ec82d777a47b1eeb8b9534d1005ddb1
SHA1 hash:
9669f8afa48305854843344e29d59c6f1dfd82be
Link:
https://www.unpac.me/results/8a5c5f33-0539-43b1-9a99-e258d48937a1/
SH256 hash:
5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123
MD5 hash:
d9275c6f500003801eddde52aec4a2e2
SHA1 hash:
5bcd208738d38b77330768855e6848be2fbfeca5
Link:
https://www.unpac.me/results/8a5c5f33-0539-43b1-9a99-e258d48937a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/220769/

Comments