Overview

overview

10

Static

static

10

7zS8A52FD1...f3.exe

windows7_x64

8

7zS8A52FD1...f3.exe

windows10-2004_x64

8

7zS8A52FD1...62.exe

windows7_x64

7

7zS8A52FD1...62.exe

windows10-2004_x64

7

7zS8A52FD1...9a.exe

windows7_x64

10

7zS8A52FD1...9a.exe

windows10-2004_x64

10

7zS8A52FD1...8a.exe

windows7_x64

10

7zS8A52FD1...8a.exe

windows10-2004_x64

10

7zS8A52FD1...f5.exe

windows7_x64

1

7zS8A52FD1...f5.exe

windows10-2004_x64

1

7zS8A52FD1...68.exe

windows7_x64

7

7zS8A52FD1...68.exe

windows10-2004_x64

7

7zS8A52FD1...41.exe

windows7_x64

7

7zS8A52FD1...41.exe

windows10-2004_x64

7

7zS8A52FD1...cd.exe

windows7_x64

8

7zS8A52FD1...cd.exe

windows10-2004_x64

8

7zS8A52FD1...71.exe

windows7_x64

5

7zS8A52FD1...71.exe

windows10-2004_x64

5

7zS8A52FD1...9c.exe

windows7_x64

10

7zS8A52FD1...9c.exe

windows10-2004_x64

10

7zS8A52FD1...0d.exe

windows7_x64

1

7zS8A52FD1...0d.exe

windows10-2004_x64

1

7zS8A52FD1...ff.exe

windows7_x64

10

7zS8A52FD1...ff.exe

windows10-2004_x64

10

7zS8A52FD1...68.exe

windows7_x64

10

7zS8A52FD1...68.exe

windows10-2004_x64

10

7zS8A52FD1...-1.dll

windows7_x64

3

7zS8A52FD1...-1.dll

windows10-2004_x64

3

7zS8A52FD1...-6.dll

windows7_x64

3

7zS8A52FD1...-6.dll

windows10-2004_x64

3

7zS8A52FD1...-1.dll

windows7_x64

1

7zS8A52FD1...-1.dll

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7zS8A52FD1B.zip

  • Size

    8.7MB

  • Sample

    220609-rh7desghar

  • MD5

    5eb1036bb35ae755376ba3d22001e238

  • SHA1

    d72bdb22a8d47fa3d50a25ff9704feaf1393a8cc

  • SHA256

    4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a

  • SHA512

    9215f3fcf99d9f2ee43ef6e552123128520e2601bd17f664385bb01f050b4ad8fec7ad9316967a359ec79c404cc911a5d3861634310e116d55930e5aa97baecd

Score
10/10
socelarsagilenetaspackv2discoveryevasionpersistencespywarestealersuricatavmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Targets

    • Target

      7zS8A52FD1B/62a1ea227dc1c_17ee33ef3.exe

    • Size

      157KB

    • MD5

      13fd49b3e1c7abe59a321d34a983fa1d

    • SHA1

      d68d156faa3dd348d89064c1b5026990b25d9c73

    • SHA256

      9542ce09286e69fe0a1270f0b017639139ece09287496dfe07b7c44ad897c476

    • SHA512

      ddd506fda604e68063268d644963650bc3e0fe987f59c52a08ed2c82ae5dedce1789a378645e8f7f851c74f75b8ee8ed80efb2c0c00ebdb6bfa5933d8ad0f4b6

    Score
    8/10
    discoveryspywarestealer

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      7zS8A52FD1B/62a1ea23342ae_c77562.exe

    • Size

      242KB

    • MD5

      2db62b3e5088b61ead161e0482b2f6f2

    • SHA1

      a13b707e24ae6269631ce1099263cbc793f4b2a1

    • SHA256

      c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

    • SHA512

      9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

    Score
    7/10
    agilenetdiscoveryspywarestealer

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      7zS8A52FD1B/62a1ea23da745_6e68c9a.exe

    • Size

      312KB

    • MD5

      0cad21764fe956f3028096ff3ff37549

    • SHA1

      09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

    • SHA256

      f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

    • SHA512

      4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

    Score
    10/10
    suricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      7zS8A52FD1B/62a1ea243386e_a4f8a5d8a.exe

    • Size

      1.6MB

    • MD5

      cc75df8a243cb6e1da5fadcd7c4a8c22

    • SHA1

      ca94e6e283dadf7833e780cf8924a30012ed1b08

    • SHA256

      c3e36a105ba6e93adadc98a053af88c78cdfe5c2936ced3766c4cfcdabb6d91f

    • SHA512

      a801f713ed7ad4ffc7daa878585ea2992563407ce19f3e23b2a8c32a1f488e7848eb86c022d6bda0c7e02fdbf8b4c9f88c53aae5626fddd29a63e16d72ae63f8

    Score
    10/10
    spywaresuricata

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

      suricata

    • suricata: ET MALWARE Generic Stealer Sending System Information M1

      suricata: ET MALWARE Generic Stealer Sending System Information M1

      suricata

    • suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

      suricata

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      7zS8A52FD1B/62a1ea2501f48_0371f5.exe

    • Size

      173KB

    • MD5

      72968341a0de08313bc9ab626d212f91

    • SHA1

      f893e4510e600ff3b6d33cea85571fa26c270606

    • SHA256

      ef9863d5358896238ef682130b38511033fd9f14354263326dd000b39358c4b4

    • SHA512

      1fe2a7a5fc1e32d4a581efd8148b66525adf3249c02fe3811b24f620c1e3c8af926cabca5ad07d59740e6480a0cb3833db87cc2354ac22cbade57924eaff6346

    Score
    1/10
    behavioral9behavioral10

    • Target

      7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe

    • Size

      1.6MB

    • MD5

      c4bc22a23300c3e7db1fae03e00610a5

    • SHA1

      0f8d2471d510434d0338fa204c7863a5a6e17190

    • SHA256

      d866f133333b259ea1aaaa838bd6f26a28798d440ce4531cd90b0497ea92d869

    • SHA512

      fa629c9f18ff2cfd07c4da7065a544d84b4dc823c8b542863525eafcf9ad62a74f5f1fdbd6e1f0609135f258b0ffe01b136b614e8bd0d669d0a5ea4052bd3fc6

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      7zS8A52FD1B/62a1ea2b65292_c4804f5141.exe

    • Size

      288KB

    • MD5

      f902561ae91aad8b234cddf38401cad1

    • SHA1

      cc3e9aadce50c820f147b194ba558b2abf25c16b

    • SHA256

      6bdf30e72d6f74a83a5ce0a84202aab030db0ffd61850fe9154eceaabc282e65

    • SHA512

      c9170b3f855f2721c3f713776b65da69ac51ddf9109fa4a2bef18174ed96cbbb7c9faab5e57f44347a85d8a6b7d8e5958a23f4e19db5209fda4ea4860f5abd30

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    behavioral13behavioral14

    • Target

      7zS8A52FD1B/62a1ea2d09364_3056ccd.exe

    • Size

      3.7MB

    • MD5

      e77f09a338e643ee05ad09e367eedf73

    • SHA1

      6777cd291ece93e16aa95c3e60b63d46b1b142bd

    • SHA256

      f32c3414f14e0b4c08183af08702736a2ed18c99101d5ee1bc5bc5e8ee3c8982

    • SHA512

      53f59267e4bfe862e51edb0fd7d356485a7349e7ccd6439c6c88bda921a67909a36efd1690d06fe3c30c8a4433d5c4c1a34c30b928cb29ec45b08045ef4f5747

    Score
    8/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral15behavioral16

    • Target

      7zS8A52FD1B/62a1ea2df066e_add786971.exe

    • Size

      172KB

    • MD5

      fa026e2025aee68f7a28808eba6f09af

    • SHA1

      28033d304e34b1989d6e6214f962b937f7359856

    • SHA256

      06760e7403eeb738fc2cd8c2c9d1597ce9628294332aa66d85f6630659a2486c

    • SHA512

      8b206e0ee721a74dbd5f6da921f3e7ed176c048e4814768b5c620c5e90581e7d0279d2603033f5cc98917ad537a87ec459a39f057c8e2beb8d7204e282c2f038

    Score
    5/10

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      7zS8A52FD1B/62a1ea2f0beee_36a9ec29c.exe

    • Size

      752KB

    • MD5

      900f331bf9be262f435df1bb572ee038

    • SHA1

      637b3346cb8fd3f415de6b2b14b0dddb3f89df95

    • SHA256

      b1ac45bc5a2dbd25ad6ccf46f8162ee261796616169d9878924b36ae0c6313f2

    • SHA512

      f466cb8bee9911d36261fa230114b0edfb00c70cd256e4662781eaf5b6756062126afd81edf3618804e01c8ba8ff2fc3de6acde83c9528382248513d006ccdc5

    Score
    10/10
    evasionpersistencesuricatavmprotectsocelarsdiscoveryspywarestealer

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral19behavioral20

    • Target

      7zS8A52FD1B/62a1ea2fb0309_1d35870d.exe

    • Size

      212KB

    • MD5

      8595eb1a87c49b9b940b46524e1fdf87

    • SHA1

      59622f56b46c724876fce597df797512b6b3d12d

    • SHA256

      77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

    • SHA512

      cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

    Score
    1/10
    behavioral21behavioral22

    • Target

      7zS8A52FD1B/62a1ea319013f_e64e1ff.exe

    • Size

      1.4MB

    • MD5

      72610bbb73a1f4d4e79ad7476a493ef8

    • SHA1

      d63fa30ab6d612da64da1ceb3557ec7d4270100a

    • SHA256

      fe3b8aa7ce7730aecb8f8477324fec6b024408fb335e3ce29ad9ec3b7f22bcaa

    • SHA512

      9ee12fb68a582f2d520840c06c454ebaefe24f5b02601f9438b093573e420864b2612139037d9c60f159ecc598b1558f8473d40b4ca9cbe5130145fcbed3b680

    Score
    10/10
    socelarsspywarestealer

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    behavioral23behavioral24

    • Target

      7zS8A52FD1B/62a1ea3215fd5_67a668.exe

    • Size

      78KB

    • MD5

      923ba5913c151121517c52f609242616

    • SHA1

      7976305e7afb69e70cca1b29b3e9436b2cd08e25

    • SHA256

      5d4b830ec56d8bbfdb305e904e6c0f00fc1744a1c7c15e8c71265d08c3aa35e0

    • SHA512

      7e03947d789f40aacd131287d445d0e3dbe95e9ff1e6ceea211009c3424ae55884365119aa46e1bef4cc0adba108a036d9c3330ef6f3acf2f97e0f83f7a0a202

    Score
    10/10
    suricatadiscoveryspywarestealer

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral25behavioral26

    • Target

      7zS8A52FD1B/libgcc_s_dw2-1.dll

    • Size

      113KB

    • MD5

      9aec524b616618b0d3d00b27b6f51da1

    • SHA1

      64264300801a353db324d11738ffed876550e1d3

    • SHA256

      59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

    • SHA512

      0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

    Score
    3/10
    behavioral27behavioral28

    • Target

      7zS8A52FD1B/libstdc++-6.dll

    • Size

      647KB

    • MD5

      5e279950775baae5fea04d2cc4526bcc

    • SHA1

      8aef1e10031c3629512c43dd8b0b5d9060878453

    • SHA256

      97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

    • SHA512

      666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

    Score
    3/10
    behavioral29behavioral30

    • Target

      7zS8A52FD1B/libwinpthread-1.dll

    • Size

      69KB

    • MD5

      1e0d62c34ff2e649ebc5c372065732ee

    • SHA1

      fcfaa36ba456159b26140a43e80fbd7e9d9af2de

    • SHA256

      509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

    • SHA512

      3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v6

Tasks

static1

agilenetvmprotectaspackv2socelars
Score
10/10

behavioral1

discoveryspywarestealer
Score
8/10

behavioral2

discoveryspywarestealer
Score
8/10

behavioral3

agilenetdiscoveryspywarestealer
Score
7/10

behavioral4

agilenetdiscoveryspywarestealer
Score
7/10

behavioral5

suricata
Score
10/10

behavioral6

Score
10/10

behavioral7

spywaresuricata
Score
10/10

behavioral8

spywaresuricata
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
7/10

behavioral12

Score
7/10

behavioral13

Score
7/10

behavioral14

Score
7/10

behavioral15

vmprotect
Score
8/10

behavioral16

vmprotect
Score
8/10

behavioral17

Score
5/10

behavioral18

Score
5/10

behavioral19

evasionpersistencesuricatavmprotect
Score
10/10

behavioral20

socelarsdiscoveryevasionpersistencespywarestealersuricatavmprotect
Score
10/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

socelarsspywarestealer
Score
10/10

behavioral24

socelarsspywarestealer
Score
10/10

behavioral25

suricata
Score
10/10

behavioral26

discoveryspywarestealersuricata
Score
10/10

behavioral27

Score
3/10

behavioral28

Score
3/10

behavioral29

Score
3/10

behavioral30

Score
3/10

behavioral31

Score
1/10

behavioral32

Score
1/10