General

  • Target

    aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5.exe

  • Size

    160KB

  • Sample

    220430-z8fbmaagb9

  • MD5

    8f70a0f45532261cb4df2800b141551d

  • SHA1

    521bbc045dfb7bf9fca55058ed2fc03d86cf8d00

  • SHA256

    aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5

  • SHA512

    3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099

Malware Config

Targets

    • Target

      aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5.exe

    • Size

      160KB

    • MD5

      8f70a0f45532261cb4df2800b141551d

    • SHA1

      521bbc045dfb7bf9fca55058ed2fc03d86cf8d00

    • SHA256

      aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5

    • SHA512

      3ea19ee472f3c7f9b7452fb4769fc3cc7591acff0f155889d08dadbd1f6ae289eaa310e220279318ac1536f99ea88e43ff75836aee47f3b4fbe8aa477cb9d099

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation