Malware Analysis Report

2025-08-10 17:09

Sample ID 211120-js11dsfee4
Target 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64
SHA256 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64
Tags
socelars evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64

Threat Level: Known bad

The file 10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64 was found to be: Known bad.

Malicious Activity Summary

socelars evasion spyware stealer trojan

Socelars family

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-20 07:56

Signatures

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socelars family

socelars

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-20 07:56

Reported

2021-11-20 07:59

Platform

win10-en-20211104

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe"

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 1020 created 4380 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe

"C:\Users\Admin\AppData\Local\Temp\10077bec9ee4408196ba97fa5bd3a2ff409ef9deddb183aeca757798ff68ec64.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1224

Network

Country Destination Domain Proto
MY 111.90.158.95:80 111.90.158.95 tcp
US 8.8.8.8:53 iplogger.org udp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 postbackstat.biz udp
DE 194.87.138.114:80 postbackstat.biz tcp

Files

memory/3908-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe

MD5 a1d00143873b96218372c6ae79090475
SHA1 7076057730486912f44bc99374c4a5b72376e253
SHA256 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711
SHA512 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_dj.exe

MD5 a1d00143873b96218372c6ae79090475
SHA1 7076057730486912f44bc99374c4a5b72376e253
SHA256 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711
SHA512 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7

memory/3908-121-0x0000000000030000-0x0000000000033000-memory.dmp

memory/3908-122-0x0000000003A70000-0x0000000003A80000-memory.dmp

memory/3908-128-0x0000000003C10000-0x0000000003C20000-memory.dmp

memory/3908-134-0x0000000004DA0000-0x0000000004DA8000-memory.dmp

memory/3908-135-0x0000000005040000-0x0000000005048000-memory.dmp

memory/3908-136-0x0000000005040000-0x0000000005048000-memory.dmp

memory/3908-161-0x00000000049A0000-0x00000000049A8000-memory.dmp

memory/3908-176-0x0000000004BA0000-0x0000000004BA8000-memory.dmp

memory/3908-177-0x0000000004BA0000-0x0000000004BA8000-memory.dmp

memory/4380-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

MD5 12b7c9704aa57489507a76980c7e8383
SHA1 cfed4dae8f721e4809399d8fb11cf8b5ed94b30c
SHA256 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b
SHA512 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

MD5 12b7c9704aa57489507a76980c7e8383
SHA1 cfed4dae8f721e4809399d8fb11cf8b5ed94b30c
SHA256 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b
SHA512 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a

memory/4380-188-0x0000000000400000-0x0000000002B57000-memory.dmp

memory/4380-187-0x0000000002C40000-0x0000000002D8A000-memory.dmp