General

  • Target

    45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

  • Size

    5.7MB

  • Sample

    220206-qfqr8aadf7

  • MD5

    5d9500398ebb9e211512cac02183eadb

  • SHA1

    6d249f3a6480f359d8a203594f1f199d87dd8b37

  • SHA256

    45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

  • SHA512

    5f3274446838b01f341f811f4abbf7219bd3b7c136fadbb0ccde3e94e4908ca0bb366db3163a8109869002b6a462cbcb27f1df14e3db8460c34d4414429e64b3

Malware Config

Extracted

Family

socelars

C2

http://www.nicekkk.pw/

http://www.nextinfo.pw/

http://www.allinfo.pw/

Targets

    • Target

      45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

    • Size

      5.7MB

    • MD5

      5d9500398ebb9e211512cac02183eadb

    • SHA1

      6d249f3a6480f359d8a203594f1f199d87dd8b37

    • SHA256

      45768b491c097e5ca2f78860e8284de9d4347cbedb39b63b1d7cac4945c6004c

    • SHA512

      5f3274446838b01f341f811f4abbf7219bd3b7c136fadbb0ccde3e94e4908ca0bb366db3163a8109869002b6a462cbcb27f1df14e3db8460c34d4414429e64b3

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • Taurus Stealer Payload

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks