Malware Analysis Report

2025-08-10 17:09

Sample ID 211120-jwzxhaceam
Target 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3
SHA256 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3
Tags
socelars evasion spyware stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3

Threat Level: Known bad

The file 0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3 was found to be: Known bad.

Malicious Activity Summary

socelars evasion spyware stealer suricata trojan

suricata: ET MALWARE GCleaner Downloader Activity M5

Socelars family

Socelars Payload

Suspicious use of NtCreateProcessExOtherParentProcess

Executes dropped EXE

Reads user/profile data of web browsers

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-11-20 08:01

Signatures

Socelars Payload

Description Indicator Process Target
N/A N/A N/A N/A

Socelars family

socelars

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-20 08:01

Reported

2021-11-20 08:04

Platform

win10-en-20211104

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe"

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess

Description Indicator Process Target
PID 2744 created 376 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

suricata: ET MALWARE GCleaner Downloader Activity M5

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe

"C:\Users\Admin\AppData\Local\Temp\0143357e1751b8e60ec677b45be7eb653ca8767e88647c017d0f8bb19345e6e3.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 1248

Network

Country Destination Domain Proto
MY 111.90.158.95:80 111.90.158.95 tcp
US 8.8.8.8:53 iplogger.org udp
DE 5.9.162.45:443 iplogger.org tcp
US 8.8.8.8:53 time.windows.com udp
NL 40.119.148.38:123 time.windows.com udp
US 8.8.8.8:53 postbackstat.biz udp
DE 194.87.138.114:80 postbackstat.biz tcp

Files

memory/3344-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe

MD5 a1d00143873b96218372c6ae79090475
SHA1 7076057730486912f44bc99374c4a5b72376e253
SHA256 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711
SHA512 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\vinmall_da.exe

MD5 a1d00143873b96218372c6ae79090475
SHA1 7076057730486912f44bc99374c4a5b72376e253
SHA256 122104f07c14145af975d69374eb9c29f69f2913c0e9af762c5a9c1085530711
SHA512 0d6415f2ee2163b77f4828f107c49278132177725646d8ab4d2bb4515684a4a84ad07fb38fb05fb193a29052cfab3b3e0d88e6f0f69d03254e769eb5fc2f18d7

memory/3344-121-0x0000000000030000-0x0000000000033000-memory.dmp

memory/3344-122-0x0000000003F30000-0x0000000003F40000-memory.dmp

memory/3344-128-0x00000000040D0000-0x00000000040E0000-memory.dmp

memory/3344-134-0x0000000005270000-0x0000000005278000-memory.dmp

memory/3344-135-0x0000000005510000-0x0000000005518000-memory.dmp

memory/3344-151-0x0000000004E70000-0x0000000004E78000-memory.dmp

memory/3344-158-0x0000000004F30000-0x0000000004F38000-memory.dmp

memory/3344-159-0x0000000004F30000-0x0000000004F38000-memory.dmp

memory/3344-160-0x0000000004F30000-0x0000000004F38000-memory.dmp

memory/376-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

MD5 12b7c9704aa57489507a76980c7e8383
SHA1 cfed4dae8f721e4809399d8fb11cf8b5ed94b30c
SHA256 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b
SHA512 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe

MD5 12b7c9704aa57489507a76980c7e8383
SHA1 cfed4dae8f721e4809399d8fb11cf8b5ed94b30c
SHA256 3fcda96bd514cc95ea2f8092b9759837d1a3fb6d8bffcbbf5c76109e3976339b
SHA512 497afb49c7a95f4be486a1c55e42832e5cd69012853e5a199e937f4c4544aa3f03bca2c62bcc03322eb504b51cbbcbffb580ec80dd55c7b7a580c6e04235977a

memory/376-164-0x0000000002E27000-0x0000000002E4F000-memory.dmp

memory/376-165-0x0000000002B60000-0x0000000002CAA000-memory.dmp

memory/376-166-0x0000000000400000-0x0000000002B57000-memory.dmp