MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


OnlyLogger


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b
SHA3-384 hash: b8a9afcb8c1ff9c725d8594bec4b952524eddabde33fb0d77a820a592ccca03dfdcf73c6872d9496c6afe159ad69574c
SHA1 hash: 182f03f0c32d49cefd2b0f9d956e8fb4a4cc2429
MD5 hash: 908086b9d4e8d2219e12bcda2acdf6aa
humanhash: montana-blossom-beryllium-ten
File name:908086b9d4e8d2219e12bcda2acdf6aa.exe
Download: download sample
Signature OnlyLogger
Create hunting rule
File size:370'176 bytes
First seen:2022-01-19 18:40:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b599c41ba6f3d2fcbb28babbce596599 (10 x RedLineStealer, 3 x RaccoonStealer, 1 x OnlyLogger)
ssdeep 6144:4yaxawmIiJnCLqnq1czNJqq7AdPMe5gt4YTj:yxawmIvr1czMd0e5gF
Threatray 2'870 similar samples on MalwareBazaar
TLSH T17374D03176C0C472C08625394526CFA89ABDFC316965894373A43B6A7F713C3A67A35F
File icon (PE):PE icon
dhash icon fcf8b4b4b494d9c1 (17 x Smoke Loader, 8 x RedLineStealer, 6 x Amadey)
Reporter abuse_ch
Tags:exe OnlyLogger

Intelligence

File Origin
# of uploads :
1
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
908086b9d4e8d2219e12bcda2acdf6aa.exe
Verdict:
Malicious activity
Analysis date:
2022-01-20 03:16:07 UTC
Tags:
evasion trojan opendir loader tofsee miner
Link:
https://app.any.run/tasks/d1240d5c-fd13-432c-b50b-00c800ba249e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
OnlyLogger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220768/
Detection(s):
Win.Malware.Generic-9936948-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4782/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e85b1a0f8c757253cd644e/reports/aa9e8278-82aa-4b47-908b-75c4fb5201c2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Vidar
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0e5290e1-18c3-4de5-a9f2-97723cb6b5f2
Result
Threat name:
Tofsee onlyLogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/923776
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected onlyLogger
Yara detected Tofsee
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 556261 Sample: hx7ci7Mmrv.exe Startdate: 19/01/2022 Architecture: WINDOWS Score: 100 68 microsoft-com.mail.protection.outlook.com 2->68 90 Multi AV Scanner detection for domain / URL 2->90 92 Found malware configuration 2->92 94 Antivirus detection for URL or domain 2->94 96 10 other signatures 2->96 10 hx7ci7Mmrv.exe 1 19 2->10         started        15 iddwhrjb.exe 2->15         started        17 svchost.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 74 91.241.19.125, 80 REDBYTES-ASRU Russian Federation 10->74 76 saveyouvideo.com 185.49.68.128, 49747, 80 LEASEWEB-DE-FRA-10DE United Kingdom 10->76 80 3 other IPs or domains 10->80 60 C:\Users\user\AppData\...\0906394511.exe, PE32 10->60 dropped 62 C:\Users\user\AppData\...\source22[1].cfg, PE32 10->62 dropped 64 C:\Users\user\AppData\...\source22[1].cfg, PE32 10->64 dropped 100 Detected unpacking (changes PE section rights) 10->100 102 Detected unpacking (overwrites its own PE header) 10->102 104 May check the online IP address of the machine 10->104 21 cmd.exe 1 10->21         started        106 Writes to foreign memory regions 15->106 108 Allocates memory in foreign processes 15->108 110 Injects a PE file into a foreign processes 15->110 23 svchost.exe 1 15->23         started        112 Changes security center settings (notifications, updates, antivirus, firewall) 17->112 27 MpCmdRun.exe 17->27         started        78 127.0.0.1 unknown unknown 19->78 29 conhost.exe 19->29         started        file6 signatures7 process8 dnsIp9 31 0906394511.exe 2 21->31         started        35 conhost.exe 21->35         started        70 patmushta.info 194.87.185.165, 443, 49804, 49809 AS-REGRU Russian Federation 23->70 72 microsoft-com.mail.protection.outlook.com 52.101.24.0, 25, 49802 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->72 98 System process connects to network (likely due to code injection or exploit) 23->98 signatures10 process11 file12 66 C:\Users\user\AppData\Local\...\iddwhrjb.exe, PE32 31->66 dropped 82 Detected unpacking (changes PE section rights) 31->82 84 Detected unpacking (overwrites its own PE header) 31->84 86 Machine Learning detection for dropped file 31->86 88 2 other signatures 31->88 37 cmd.exe 1 31->37         started        40 netsh.exe 3 31->40         started        42 cmd.exe 2 31->42         started        44 3 other processes 31->44 signatures13 process14 file15 58 C:\Windows\SysWOW64\...\iddwhrjb.exe (copy), PE32 37->58 dropped 46 conhost.exe 37->46         started        48 conhost.exe 40->48         started        50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 44->54         started        56 conhost.exe 44->56         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 18:40:23 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=52x5tvvkeydvoxqf2b2tylwmg5yqvele7rnpjsnpukgc2vdoi4fq._file
Verdict:
malicious
Similar samples:
5b6e9f80c787e237f396735f48b3a2ccaeabe6e5c596693a34e7cb7a7bb4d123
OnlyLogger
7aa869ed7e51f0f08553fd4a6c23048208674fec8cb8c715b4ed7ba6e43b0f54
OnlyLogger
92f1df4dbb0e34c38083bb9516fb5c812175b5b73c9fda81ca8047c5c38a1abb
OnlyLogger
99ec7781fd51a626adc7c22fe67363568d3a6f6cbe9b2163d920da8b4123a28c
OnlyLogger
d06e9b26713ef8cb240b46a94b545ecdc40e811d6c520f7fa0d837d94e2a53fc
OnlyLogger
de48d965a36d69bebdc619ea20d384966bf6fee1e4ea7068a6894c4ff5629683
OnlyLogger
e6487d35a5d02e516e187ceabed0207f1e0b2464f0c45fcd9e378b9c959fa04b
OnlyLogger
ee3bd6d22faa0e51623d3f7cadccc413f056ee3172f73c5adab4ffc449bb0a4b
OnlyLogger
+ 2'860 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220119-xbbk3acdd4/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
autoit_exe
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
7e29b63ab30fbf3dcf1dafd9963d435f3144be3b7947aec9507e6198306a8ebf
MD5 hash:
0ec82d777a47b1eeb8b9534d1005ddb1
SHA1 hash:
9669f8afa48305854843344e29d59c6f1dfd82be
Link:
https://www.unpac.me/results/61d4dba6-928a-4913-b412-c769c091d32e/
SH256 hash:
eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b
MD5 hash:
908086b9d4e8d2219e12bcda2acdf6aa
SHA1 hash:
182f03f0c32d49cefd2b0f9d956e8fb4a4cc2429
Link:
https://www.unpac.me/results/61d4dba6-928a-4913-b412-c769c091d32e/
Malware family:
XMRIG
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/eeafd9d6aa26/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eeafd9d6aa2607575e05d0753c2ecc37710a9164fc5af4c9afa28c2d546e470b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_OnlyLogger
Create hunting rule
Author:ditekSHen
Description:Detects OnlyLogger loader variants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/220768/

Comments