General

  • Target

    2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe

  • Size

    4.4MB

  • Sample

    211226-xbrx2sacgq

  • MD5

    244f3fcae34a514dd3e78f3d4d72f92a

  • SHA1

    5ac41859cefd7ad0536b36c7e82f33e702514fe2

  • SHA256

    2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df

  • SHA512

    245ab74d77796452086c2874af05c7c1d51e7c552c47a655388575cb4add160b743082c4db84f35f2755b2caa78b9b4af2577f1785a4919308fefea20acdc53f

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32
rc4.i32

Targets

    • Target

      2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe

    • Size

      4.4MB

    • MD5

      244f3fcae34a514dd3e78f3d4d72f92a

    • SHA1

      5ac41859cefd7ad0536b36c7e82f33e702514fe2

    • SHA256

      2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df

    • SHA512

      245ab74d77796452086c2874af05c7c1d51e7c552c47a655388575cb4add160b743082c4db84f35f2755b2caa78b9b4af2577f1785a4919308fefea20acdc53f

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

      suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

MITRE ATT&CK Enterprise v6

Tasks