MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OnlyLogger


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb
SHA3-384 hash: 48944241f5149bd6bdb650cd09aa8a42cfbd6e0a816b08bc0ce0524a64948c4e258585959acd2c29aacabdcf60f52dbc
SHA1 hash: 901d7400d1f2bc4a87edafd58febfac4891f9fe8
MD5 hash: 0162c08d87055722bc49265bd5468d16
humanhash: princess-butter-pennsylvania-cardinal
File name:0162c08d87055722bc49265bd5468d16.exe
Download: download sample
Signature OnlyLogger
Create hunting rule
File size:373'248 bytes
First seen:2022-01-12 07:03:30 UTC
Last seen:2022-01-12 09:17:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 001cb942f01749e7a393ca23aaa78d09 (2 x CoinMiner, 2 x OnlyLogger, 1 x RedLineStealer)
ssdeep 6144:EbWxj7XagNorsFTCp64vSMLjYgrkhnuzbgwu:2Wx3a1kO6SS6c9unn
TLSH T19684E03176ECCC72C49752314824DBA05A3AF9316632A64B3758576A6F30ECC8BE635F
File icon (PE):PE icon
dhash icon fcfcb4d4d4d4d8c0 (70 x RedLineStealer, 59 x RaccoonStealer, 24 x Smoke Loader)
Reporter abuse_ch
Tags:exe OnlyLogger

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Your+File+Is+Ready+To+Download.zip
Verdict:
Malicious activity
Analysis date:
2022-01-12 06:22:43 UTC
Tags:
evasion trojan loader rat redline stealer vidar opendir raccoon
Link:
https://app.any.run/tasks/bdca9283-1ba0-4fb0-9bee-73172fd8876c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/218518/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.10256.21521.11130.UNOFFICIAL
Create hunting rule

Win.Trojan.Generic-9935605-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f388cf15-c3cb-477a-94fc-991841c13565
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/918937
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 551415 Sample: 1r27MukAPc.exe Startdate: 12/01/2022 Architecture: WINDOWS Score: 96 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 2 other signatures 2->47 7 1r27MukAPc.exe 1 19 2->7         started        process3 dnsIp4 31 whatisart.top 91.107.126.148, 49747, 80 MGNHOST-ASRU Russian Federation 7->31 33 iplogger.org 148.251.234.83, 443, 49754, 49755 HETZNER-ASDE Germany 7->33 35 youtube4kdowloader.club 35.205.61.67, 80 GOOGLEUS United States 7->35 25 C:\Users\user\AppData\...\0629425638.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\source22[1].cfg, PE32 7->27 dropped 29 C:\Users\user\AppData\...\source22[1].cfg, PE32 7->29 dropped 49 Detected unpacking (changes PE section rights) 7->49 51 Detected unpacking (overwrites its own PE header) 7->51 53 May check the online IP address of the machine 7->53 12 cmd.exe 1 7->12         started        14 cmd.exe 1 7->14         started        file5 signatures6 process7 process8 16 0629425638.exe 12->16         started        19 conhost.exe 12->19         started        21 taskkill.exe 1 14->21         started        23 conhost.exe 14->23         started        signatures9 37 Multi AV Scanner detection for dropped file 16->37 39 Found API chain indicative of debugger detection 16->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2022-01-12 03:02:00 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220112-hvysdabef4/
Behaviour
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
autoit_exe
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
80530e26e4ba89dcdccc20bd67bc685f8911c3029aa69090b0ab7f60c4690700
MD5 hash:
efa9705d887aaa72aad659b6ccbb2d39
SHA1 hash:
072adf714adf5aadeb3e2722e8c083bfceef9d41
Link:
https://www.unpac.me/results/e19371ae-2977-4b15-8ffa-47b09df62865/
SH256 hash:
92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb
MD5 hash:
0162c08d87055722bc49265bd5468d16
SHA1 hash:
901d7400d1f2bc4a87edafd58febfac4891f9fe8
Link:
https://www.unpac.me/results/e19371ae-2977-4b15-8ffa-47b09df62865/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/218518/

Comments