General

  • Target

    7zSCD97F9B7.7z

  • Size

    5.9MB

  • Sample

    211231-w3ma7sffar

  • MD5

    67d4a8ca3787d8c5971f41705dbc7580

  • SHA1

    310f453626a240b6c374068a61b83337ea070a23

  • SHA256

    33bca0b7c35d92fe1dec4638d803349ca76a0f4b2a647efa49697edb77d2ae95

  • SHA512

    3712ebd6772d997c61d0450be8b9be5ab2b1b9cf5b234e4603e51f7b17223b0d110daeb46bf31004b205c54c0acfe96c56f5cd21830a97a27a1ae75508215382

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Extracted

Family

smokeloader

Version

2020

C2

http://melchen-testet.at/upload/

http://zjymf.com/upload/

http://pbxbmu70275.cn/upload/

http://mnenenravitsya.ru/upload/

http://pitersprav.ru/upload/

rc4.i32
rc4.i32

Targets

    • Target

      7zSCD97F9B7/16409730233472.exe

    • Size

      40B

    • MD5

      e8a679c378fb265bd3bc8c601240edac

    • SHA1

      6b114e5054f7a7127f820ce5652e32d4b576b0c5

    • SHA256

      f28881e775b7cbf7c354595d030d30ae56d7b868d09ba8c68b67df0aad491f0b

    • SHA512

      1cfe633dc25b4a227337f0ad34d052bc6e3fb4d3cbe5f5ec3164dfa05342095078770cc86c64f5d5816b3fa510e7f8525fd5ed62e84e450f68d636bc43ae91de

    Score
    1/10
    • Target

      7zSCD97F9B7/16409730238228.exe

    • Size

      40B

    • MD5

      0fe55c3bcc27655fc43f0a42fdc68cda

    • SHA1

      e3c7acd5e08a3577151ec30080abb0009680fe71

    • SHA256

      df90bdd412f26707ab8169ede1a787a2a46f82648308e1b9e6c25b05f3035e2e

    • SHA512

      9a12577557cdabacc4499410fa7629be5526efebe19295ee2aeed0700adb865b9ff9f663555ae48801ebcb7608f893e5b17fda809985e34d4940d158b22ab9e7

    Score
    1/10
    • Target

      7zSCD97F9B7/1640973023982.exe

    • Size

      40B

    • MD5

      aab990c9dfed46b40e1ebd459535e798

    • SHA1

      06aa7cf14236e5025d6dcf17e51e9e12862ed36b

    • SHA256

      076152aeb4ddc8ec4365d5dbc69e6aae5a72f885f13358412614e0244663fb33

    • SHA512

      a220891c1bccf10a93e9e756a22ec641bcdd58a48fd2b6a43b2230c23e59e35cdfcd716aad163b0b69180791ab376b57f09b214ec397623da741b11ee86b2353

    Score
    1/10
    • Target

      7zSCD97F9B7/61cf42cab6116_Fri1740da7b7c.exe

    • Size

      124KB

    • MD5

      b6f7de71dcc4573e5e5588d6876311fc

    • SHA1

      645b41e6ea119615db745dd8e776672a4ba59c57

    • SHA256

      73437218cd12895c7a59c0c03009417705ed231d323e3a1ad279750e46bcc8ad

    • SHA512

      ca297d40f0e2cc45d5737627a1aaeec61bf7c6f425acadb14e689b4392fcc4a17e74dc1514fb3bf8d9a6a91b5cea38801996a2a7ee2dee0c335bfb2f103c6d42

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • Target

      7zSCD97F9B7/61cf42cc94cfd_Fri174cd2108.exe

    • Size

      1.7MB

    • MD5

      99918fe3d5011f5e084492e0d9701779

    • SHA1

      55f7a03c6380bb9f51793be0774681b473e07c9f

    • SHA256

      558a67043fbcd0bc37d34c99ff16f66b259b24b44811516ceff678964ec655c4

    • SHA512

      682f1c6c648319c974e608defa41b714d0e8c3670d3f5e669b7227aaf5400285f9f0c6c5c82c50518031d8a93a3cfd591031651068d5a458a6606f2bf51d3e12

    Score
    8/10
    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      7zSCD97F9B7/61cf42cd9d3e3_Fri172b3fcd2f5c.exe

    • Size

      136KB

    • MD5

      14d0d4049bb131fb31dcb7b3736661e7

    • SHA1

      927d885f395bc5ae04e442b9a56a6bd3908d1447

    • SHA256

      427ddd764ac020fc8a5f4a164cc8e1e282e8f53fc5ad34256b2aeb7fe8d68ca5

    • SHA512

      bf0bf5337e2c2815f5f93f6006f2ac2742bb6d60324c7f3eedfbbe041c41ae9b2da1956417c467f668d71fc93c4835d4a81c961c04cbb286c887b99e82bb0994

    • Modifies Windows Defender Real-time Protection settings

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      7zSCD97F9B7/61cf42cf81412_Fri1748d73b51.exe

    • Size

      1.4MB

    • MD5

      0a058a7671659d7864802f509fee9478

    • SHA1

      7eb76e6b0e58c2bfc685644b3bf93aafab3d1900

    • SHA256

      0fbfd4aeeda37b64b59ed22d85e7253352b3ae930726f073cbd36998f98c8a8e

    • SHA512

      31e59a18b2b75e72f8db422279f324a674d41ca554c46f683496196d5003856d59f74e5ceae0a667e7caf3b9875015264ee416b3ee51e16d4ddc8856f6c0aa88

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      7zSCD97F9B7/61cf42d8cfbf4_Fri175590209.exe

    • Size

      178KB

    • MD5

      f8c7d533e566557eb19e6a89f910ab6b

    • SHA1

      a225ef1c22fcd29562bd5f8a2d0da3969a5393cb

    • SHA256

      697949b98fd6207152522f27bcfea3716c336a8cab81751738eda59fd6067dee

    • SHA512

      a450548c41c45955206459d58f712284b4589bad7a93d9a6c98c5cd0f1f48cb66ee56cc2568e5dfd1fd174fdc6fa4bd249f5b1c9521dc018ec5b90718d0c97b1

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      7zSCD97F9B7/61cf42d96bbd5_Fri1768e6cd.exe

    • Size

      8KB

    • MD5

      d7f55160e4884c2917c39d3ae7f618b3

    • SHA1

      b8b48396d98f492c98f8c5f9ca88ef32f9d47033

    • SHA256

      4b8d0340ceb7fe26b41c04c590bb68791865274132f73b0cd59265f3c63d96c8

    • SHA512

      af49101f633a964b54fa3e8baf2d97bc0cade00f5087dd51b1b281991f808a82359664b36e3450662ff3fbd5ee9dd6ccebde547d14f15ee09ffee909124544a6

    Score
    6/10
    • Legitimate hosting services abused for malware hosting/C2

    • Target

      7zSCD97F9B7/61cf42da3aadc_Fri1749497d9d.exe

    • Size

      1.1MB

    • MD5

      aa75aa3f07c593b1cd7441f7d8723e14

    • SHA1

      f8e9190ccb6b36474c63ed65a74629ad490f2620

    • SHA256

      af890b72e50681eee069a7024c0649ac99f60e781cb267d4849dae4b310d59c1

    • SHA512

      b1984c431939e92ea6918afbbc226691d1e46e48f11db906fec3b7e5c49075f33027a2c6a16ab4861c906faa6b50fddc44201922e44a0243f9883b701316ca2b

    Score
    7/10
    • Deletes itself

    • Suspicious use of SetThreadContext

    • Target

      7zSCD97F9B7/61cf42db8e020_Fri179863c92d69.exe

    • Size

      1.9MB

    • MD5

      1a834bf6d259babbfb8f84a40c30cee2

    • SHA1

      bac32a006f8451b5e5063e12dfc3a27c44dd79db

    • SHA256

      1604a4cccddecd3d488d6ede5f4040b3cb95e5d76385cb0be30cb7f8e1a380b5

    • SHA512

      9e4e5feafeaff5695486a226fe4b302a5b4ab484e4fb96de2bb2ffeebba8f65f782283994a6409a4d36005edbf810c94f6258c4118d7facda0273a85dc2afba1

    Score
    7/10
    • Loads dropped DLL

    • Target

      7zSCD97F9B7/61cf42dc105f3_Fri17e8bf67cf5c.exe

    • Size

      123KB

    • MD5

      550df332f73bf3d4477a7db99407bc25

    • SHA1

      b1d3d4b2119195163d9ca10dde2c86f16ad6a45a

    • SHA256

      cb17edd2f1497ec1f54b46d1aa36227b2d6b7a856f3e28771e3aee5e855485db

    • SHA512

      412456d898f92c540b8f243da445466f4874c4f502ee886209186171a7e6e7725e8bfaa2880d0698b783a76a8515b96c822d5333446ac5af2cd953e58e042b6e

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      7zSCD97F9B7/61cf42ddca121_Fri1754a29da57.exe

    • Size

      339KB

    • MD5

      c6ba95e6a2570df9355492eedcba2692

    • SHA1

      cabb84ac43c787653803d539c4c11e98f0216977

    • SHA256

      d1ce9967a983bf8a13464a30145ea9acda0810f9fad52990e96e6d6fda6c3299

    • SHA512

      6c3874e0f033f00ce9e9451abc6909d88f4e629790a6dba325f4568e29b3d3e1c121c357367833503699f065d5d9d7e064853ef6f4bdde0ef8290979daf26f3f

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Executes dropped EXE

    • Deletes itself

    • Target

      7zSCD97F9B7/61cf42de1af96_Fri179a299200.exe

    • Size

      133KB

    • MD5

      60d978d30d2cf2aa9746b234a60f0ae1

    • SHA1

      c7430d8368ee53f480da4e38d2ad4601ea1ef4fc

    • SHA256

      55bfb169b4c4848c7e080f9a73fd59410915acc5366e0f92f7c47a767a5a6a51

    • SHA512

      716f78e9c9a69a4500be51e7c5dc28cb88f08bfc6188c93df9710944a8991224e634cf038edc9dfa2125feb7e060c48b7f9adbd8225c03241c07a52ecb433e14

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      7zSCD97F9B7/61cf42df34a5e_Fri1721957b061.exe

    • Size

      2.0MB

    • MD5

      29fa0d00300d275c04b2d0cc3b969c57

    • SHA1

      329b7fbe6ba9ceca9507af8adec6771799c2e841

    • SHA256

      28314e224dcbae977cbf7dec0cda849e4a56cec90b3568a29b6bbd9234b895aa

    • SHA512

      4925a7e5d831ebc1da9a6f7e77f5022e83f7f01032d102a41dd9e33a4df546202b3b27effb912aa46e5b007bda11238e1fc67f8c74ddac4993a6ee108a6cd411

    Score
    9/10
    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks

static1

aspackv2socelars
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

suricata
Score
10/10

behavioral8

suricata
Score
10/10

behavioral9

discovery
Score
8/10

behavioral10

discovery
Score
8/10

behavioral11

evasionspywarestealertrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

socelarsdiscoveryspywarestealer
Score
10/10

behavioral14

socelarsspywarestealer
Score
10/10

behavioral15

discoverypersistencespywarestealer
Score
8/10

behavioral16

discoverypersistencespywarestealer
Score
8/10

behavioral17

Score
6/10

behavioral18

Score
6/10

behavioral19

Score
7/10

behavioral20

Score
5/10

behavioral21

Score
7/10

behavioral22

Score
7/10

behavioral23

xmrigdiscoveryminerpersistencespywarestealersuricata
Score
10/10

behavioral24

xmrigdiscoveryminerpersistencespywarestealersuricata
Score
10/10

behavioral25

smokeloaderbackdoortrojan
Score
10/10

behavioral26

smokeloaderbackdoorsuricatatrojan
Score
10/10

behavioral27

discoveryspywarestealer
Score
8/10

behavioral28

discoveryspywarestealer
Score
8/10

behavioral29

spywarestealer
Score
9/10

behavioral30

spywarestealer
Score
9/10