MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OnlyLogger


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
SHA3-384 hash: 5efac66c8226d202d91356e300d68f69976bc3bf884c51d854b466623f116994a4b5c19467c8a1f20d6814a8b7cbfb8e
SHA1 hash: d99e2016d6d1010c8f5cda362f2c314d1d4d852c
MD5 hash: e4c5c50d9c573109411348e4c7f79dd8
humanhash: uniform-ceiling-hotel-red
File name:e4c5c50d9c573109411348e4c7f79dd8
Download: download sample
Signature OnlyLogger
Create hunting rule
File size:327'680 bytes
First seen:2023-11-05 19:16:16 UTC
Last seen:2023-11-08 03:33:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fb06b251ec823ec2b055f38e217cf323 (2 x Stealc, 2 x ArkeiStealer, 1 x CoinMiner)
ssdeep 6144:gU4LI9VtOpy4NT+Cxe0eAb8R5DI1bUUzJ6Gor:g989VQpy4NDe48R5s1dJn+
Threatray 49 similar samples on MalwareBazaar
TLSH T176648D0396F17C91E92E4B728E2FC6EC765EF160CE597766225CDA2F06B00B2C263715
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 020605011a183000 (1 x OnlyLogger)
Reporter zbetcheckin
Tags:32 exe OnlyLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
367
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
StealLogger.zip
Verdict:
Malicious activity
Analysis date:
2023-11-06 03:22:19 UTC
Tags:
onlylogger stealc stealer gcleaner loader
Link:
https://app.any.run/tasks/0fde7447-9370-4021-9c5f-257ecbbff29b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/458129/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
DNS request
Sending an HTTP GET request
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin packed shell32 xpack
Link:
https://www.filescan.io/uploads/6547ea2f993fbf888b65810d/reports/149144ab-daef-456a-beab-140b6aabe051/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73798a2b-cc39-4f5b-8d9d-359fe1ad93f5
Result
Threat name:
onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1337318
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected onlyLogger
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
Detection:
gcleaner
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce/
Threat name:
Win32.Trojan.RedLine
Create hunting rule
Status:
Malicious
First seen:
2023-11-05 15:25:11 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=purkkb5cb3gxxgolyjuiuklxbb2pib6kaj3obbrb7rfjngbaz7ha._file
Verdict:
malicious
Similar samples:
0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
OnlyLogger
0e6a19b3bc5992a4b87006701bc2ef7aced896a8791a5386700f983db6d5039d
OnlyLogger
0e9c3ef019f7a75caaa05d3aa393475dc838172449260353e2f811b1da2b736e
OnlyLogger
22129d7e9e05b24fa1b6e10177a3e2f793f478f147f6d0688f6c85806d434341
OnlyLogger
3b12caa2b17e1378c05477e1f2e3481b3a9cb638024eb5705bf5298f79fd70d6
OnlyLogger
49d338bc0aff700c861cea2620b98d673f0378a8c0813275722e08933bf0cf07
OnlyLogger
7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
OnlyLogger
aff40728907a20084c4762db4b6f305dc3e56695a538b92d8a418b0b29821522
OnlyLogger
e9b08e0dd330ea6a2244220dc04f7dec992c83cba8ab1e60e165850d69f5e3e4
OnlyLogger
f7e1a90ee2e6c56f816c3798e793af98da9f976dfca46c167fb01b7b897b8760
OnlyLogger
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231105-xzcg9scf42/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Unpacked files
SH256 hash:
7d1b712eccf7f2c8b250487359e20b1276880c4b350ebd8a1ac4c39984f9500d
MD5 hash:
d0e991a3f9537689ce98eecb69da57cf
SHA1 hash:
d5f5876a155c6b0bed231efa7baf1992b68de62e
Detections:
win_gcleaner_auto
Create hunting rule
Link:
https://www.unpac.me/results/a185e586-2f70-4e71-b2a4-2d8a75c2015e/
Parent samples :
0796818dc3510e88a966f0aaacd201ba162c46e0bc0f7c670ffbd43df485f5a7
7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
a9b17d9192a70211f8e094468f4c37dac31c7a7fb856486c6b68722f7225f22b
a15d5f6ce3181574e73196dfb63eae98688e1f2d8946a0fce1513703d5a78b26
61e2c0eb8b87b2cff74eeb9d9ad3c8a91e792b3618d9bd57f96232b70337b7fb
654a855dd88cbd6f1ef23e4c2bb2aadd4eff4f7faa97c9b8a5641525b7dd3128
SH256 hash:
7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce
MD5 hash:
e4c5c50d9c573109411348e4c7f79dd8
SHA1 hash:
d99e2016d6d1010c8f5cda362f2c314d1d4d852c
Link:
https://www.unpac.me/results/a185e586-2f70-4e71-b2a4-2d8a75c2015e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants
Rule name:win_gcleaner_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.gcleaner.
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

OnlyLogger

Executable exe 7d22a507a20ecd7b99cbc2688a29770874f407ca0276e08621fc4a969820cfce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2728027/
Cape
Cape
https://www.capesandbox.com/analysis/458129/

Comments


Avatar
zbet commented on 2023-11-05 19:16:17 UTC

url : hxxp://85.209.11.204/api/files/software/s5.exe