General

  • Target

    011f2b76b3dcb347377f73b2c94b80ab.exe

  • Size

    9.5MB

  • Sample

    220401-gnk29sfah8

  • MD5

    011f2b76b3dcb347377f73b2c94b80ab

  • SHA1

    7fdb58e73995bc7852fd34ee2c56933c090282f5

  • SHA256

    a5072c297cd80acffd9da5124dd8ff867da5abd6effc2dabea853fd93a8cccdc

  • SHA512

    d3904e0b8cc51d1e3c1bee71ef9032a54bb53ffaa9235957e91979c6ad009051f88a0ca3e3f1132bbc25ae17c08a60c6e190872da2563556fcec1c6be8f46e74

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Extracted

Family

smokeloader

Version

2020

C2

http://gerer.at/upload/

http://pass-finger.com/upload/

http://meet-ru.ru/upload/

http://elroisolutions.com/upload/

http://gebzetuning.com/upload/

http://les-pub.com/upload/

http://mordo.ru/upload/

http://pkodev.net/upload/

http://autocarsjames.com/upload/

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Targets

    • Target

      011f2b76b3dcb347377f73b2c94b80ab.exe

    • Size

      9.5MB

    • MD5

      011f2b76b3dcb347377f73b2c94b80ab

    • SHA1

      7fdb58e73995bc7852fd34ee2c56933c090282f5

    • SHA256

      a5072c297cd80acffd9da5124dd8ff867da5abd6effc2dabea853fd93a8cccdc

    • SHA512

      d3904e0b8cc51d1e3c1bee71ef9032a54bb53ffaa9235957e91979c6ad009051f88a0ca3e3f1132bbc25ae17c08a60c6e190872da2563556fcec1c6be8f46e74

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars Payload

    • OnlyLogger Payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks