socelars

Sharing

Copy URL

Twitter E-mail

General

Target

7zS8A52FD1B.zip
Size

8.7MB
Sample

220609-rh7desghar
MD5

5eb1036bb35ae755376ba3d22001e238
SHA1

d72bdb22a8d47fa3d50a25ff9704feaf1393a8cc
SHA256

4bb31847846180bf78033b5eb7761b874b114f6dd086862472915be761fc042a
SHA512

9215f3fcf99d9f2ee43ef6e552123128520e2601bd17f664385bb01f050b4ad8fec7ad9316967a359ec79c404cc911a5d3861634310e116d55930e5aa97baecd

Score

10^/10

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Targets

- Target
  
  7zS8A52FD1B/62a1ea227dc1c_17ee33ef3.exe
- Size
  
  157KB
- MD5
  
  13fd49b3e1c7abe59a321d34a983fa1d
- SHA1
  
  d68d156faa3dd348d89064c1b5026990b25d9c73
- SHA256
  
  9542ce09286e69fe0a1270f0b017639139ece09287496dfe07b7c44ad897c476
- SHA512
  
  ddd506fda604e68063268d644963650bc3e0fe987f59c52a08ed2c82ae5dedce1789a378645e8f7f851c74f75b8ee8ed80efb2c0c00ebdb6bfa5933d8ad0f4b6
Score

8^/10

discovery spyware stealer
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  7zS8A52FD1B/62a1ea23342ae_c77562.exe
- Size
  
  242KB
- MD5
  
  2db62b3e5088b61ead161e0482b2f6f2
- SHA1
  
  a13b707e24ae6269631ce1099263cbc793f4b2a1
- SHA256
  
  c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3
- SHA512
  
  9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774
Score

7^/10

agilenet discovery spyware stealer
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  7zS8A52FD1B/62a1ea23da745_6e68c9a.exe
- Size
  
  312KB
- MD5
  
  0cad21764fe956f3028096ff3ff37549
- SHA1
  
  09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5
- SHA256
  
  f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e
- SHA512
  
  4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542
Score

10^/10

suricata
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  7zS8A52FD1B/62a1ea243386e_a4f8a5d8a.exe
- Size
  
  1.6MB
- MD5
  
  cc75df8a243cb6e1da5fadcd7c4a8c22
- SHA1
  
  ca94e6e283dadf7833e780cf8924a30012ed1b08
- SHA256
  
  c3e36a105ba6e93adadc98a053af88c78cdfe5c2936ced3766c4cfcdabb6d91f
- SHA512
  
  a801f713ed7ad4ffc7daa878585ea2992563407ce19f3e23b2a8c32a1f488e7848eb86c022d6bda0c7e02fdbf8b4c9f88c53aae5626fddd29a63e16d72ae63f8
Score

10^/10

spyware suricata
- suricata: ET MALWARE Generic Stealer Config Download Request
  suricata: ET MALWARE Generic Stealer Config Download Request
  suricata
- suricata: ET MALWARE Generic Stealer Sending System Information M1
  suricata: ET MALWARE Generic Stealer Sending System Information M1
  suricata
- suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
  suricata: ET MALWARE Recordbreaker Stealer CnC Checkin
  suricata
- Downloads MZ/PE file
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  7zS8A52FD1B/62a1ea2501f48_0371f5.exe
- Size
  
  173KB
- MD5
  
  72968341a0de08313bc9ab626d212f91
- SHA1
  
  f893e4510e600ff3b6d33cea85571fa26c270606
- SHA256
  
  ef9863d5358896238ef682130b38511033fd9f14354263326dd000b39358c4b4
- SHA512
  
  1fe2a7a5fc1e32d4a581efd8148b66525adf3249c02fe3811b24f620c1e3c8af926cabca5ad07d59740e6480a0cb3833db87cc2354ac22cbade57924eaff6346
Score

1^/10
behavioral9 behavioral10
- Target
  
  7zS8A52FD1B/62a1ea2a20759_b7a66dc968.exe
- Size
  
  1.6MB
- MD5
  
  c4bc22a23300c3e7db1fae03e00610a5
- SHA1
  
  0f8d2471d510434d0338fa204c7863a5a6e17190
- SHA256
  
  d866f133333b259ea1aaaa838bd6f26a28798d440ce4531cd90b0497ea92d869
- SHA512
  
  fa629c9f18ff2cfd07c4da7065a544d84b4dc823c8b542863525eafcf9ad62a74f5f1fdbd6e1f0609135f258b0ffe01b136b614e8bd0d669d0a5ea4052bd3fc6
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  7zS8A52FD1B/62a1ea2b65292_c4804f5141.exe
- Size
  
  288KB
- MD5
  
  f902561ae91aad8b234cddf38401cad1
- SHA1
  
  cc3e9aadce50c820f147b194ba558b2abf25c16b
- SHA256
  
  6bdf30e72d6f74a83a5ce0a84202aab030db0ffd61850fe9154eceaabc282e65
- SHA512
  
  c9170b3f855f2721c3f713776b65da69ac51ddf9109fa4a2bef18174ed96cbbb7c9faab5e57f44347a85d8a6b7d8e5958a23f4e19db5209fda4ea4860f5abd30
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
behavioral13 behavioral14
- Target
  
  7zS8A52FD1B/62a1ea2d09364_3056ccd.exe
- Size
  
  3.7MB
- MD5
  
  e77f09a338e643ee05ad09e367eedf73
- SHA1
  
  6777cd291ece93e16aa95c3e60b63d46b1b142bd
- SHA256
  
  f32c3414f14e0b4c08183af08702736a2ed18c99101d5ee1bc5bc5e8ee3c8982
- SHA512
  
  53f59267e4bfe862e51edb0fd7d356485a7349e7ccd6439c6c88bda921a67909a36efd1690d06fe3c30c8a4433d5c4c1a34c30b928cb29ec45b08045ef4f5747
Score

8^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16
- Target
  
  7zS8A52FD1B/62a1ea2df066e_add786971.exe
- Size
  
  172KB
- MD5
  
  fa026e2025aee68f7a28808eba6f09af
- SHA1
  
  28033d304e34b1989d6e6214f962b937f7359856
- SHA256
  
  06760e7403eeb738fc2cd8c2c9d1597ce9628294332aa66d85f6630659a2486c
- SHA512
  
  8b206e0ee721a74dbd5f6da921f3e7ed176c048e4814768b5c620c5e90581e7d0279d2603033f5cc98917ad537a87ec459a39f057c8e2beb8d7204e282c2f038
Score

5^/10
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  7zS8A52FD1B/62a1ea2f0beee_36a9ec29c.exe
- Size
  
  752KB
- MD5
  
  900f331bf9be262f435df1bb572ee038
- SHA1
  
  637b3346cb8fd3f415de6b2b14b0dddb3f89df95
- SHA256
  
  b1ac45bc5a2dbd25ad6ccf46f8162ee261796616169d9878924b36ae0c6313f2
- SHA512
  
  f466cb8bee9911d36261fa230114b0edfb00c70cd256e4662781eaf5b6756062126afd81edf3618804e01c8ba8ff2fc3de6acde83c9528382248513d006ccdc5
Score

10^/10

evasion persistence suricata vmprotect socelars discovery spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata: ET MALWARE ClipBanker Variant Activity (POST)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Program crash
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  7zS8A52FD1B/62a1ea2fb0309_1d35870d.exe
- Size
  
  212KB
- MD5
  
  8595eb1a87c49b9b940b46524e1fdf87
- SHA1
  
  59622f56b46c724876fce597df797512b6b3d12d
- SHA256
  
  77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c
- SHA512
  
  cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4
Score

1^/10
behavioral21 behavioral22
- Target
  
  7zS8A52FD1B/62a1ea319013f_e64e1ff.exe
- Size
  
  1.4MB
- MD5
  
  72610bbb73a1f4d4e79ad7476a493ef8
- SHA1
  
  d63fa30ab6d612da64da1ceb3557ec7d4270100a
- SHA256
  
  fe3b8aa7ce7730aecb8f8477324fec6b024408fb335e3ce29ad9ec3b7f22bcaa
- SHA512
  
  9ee12fb68a582f2d520840c06c454ebaefe24f5b02601f9438b093573e420864b2612139037d9c60f159ecc598b1558f8473d40b4ca9cbe5130145fcbed3b680
Score

10^/10

socelars spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
behavioral23 behavioral24
- Target
  
  7zS8A52FD1B/62a1ea3215fd5_67a668.exe
- Size
  
  78KB
- MD5
  
  923ba5913c151121517c52f609242616
- SHA1
  
  7976305e7afb69e70cca1b29b3e9436b2cd08e25
- SHA256
  
  5d4b830ec56d8bbfdb305e904e6c0f00fc1744a1c7c15e8c71265d08c3aa35e0
- SHA512
  
  7e03947d789f40aacd131287d445d0e3dbe95e9ff1e6ceea211009c3424ae55884365119aa46e1bef4cc0adba108a036d9c3330ef6f3acf2f97e0f83f7a0a202
Score

10^/10

suricata discovery spyware stealer
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral25 behavioral26
- Target
  
  7zS8A52FD1B/libgcc_s_dw2-1.dll
- Size
  
  113KB
- MD5
  
  9aec524b616618b0d3d00b27b6f51da1
- SHA1
  
  64264300801a353db324d11738ffed876550e1d3
- SHA256
  
  59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
- SHA512
  
  0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
Score

3^/10
behavioral27 behavioral28
- Target
  
  7zS8A52FD1B/libstdc++-6.dll
- Size
  
  647KB
- MD5
  
  5e279950775baae5fea04d2cc4526bcc
- SHA1
  
  8aef1e10031c3629512c43dd8b0b5d9060878453
- SHA256
  
  97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
- SHA512
  
  666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
Score

3^/10
behavioral29 behavioral30
- Target
  
  7zS8A52FD1B/libwinpthread-1.dll
- Size
  
  69KB
- MD5
  
  1e0d62c34ff2e649ebc5c372065732ee
- SHA1
  
  fcfaa36ba456159b26140a43e80fbd7e9d9af2de
- SHA256
  
  509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
- SHA512
  
  3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Software Discovery

T1518

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Obfuscated with Agile.Net obfuscator

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Process spawned unexpected child process

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE ClipBanker Variant Activity (POST)

Checks computer location settings

Loads dropped DLL

Unexpected DNS network traffic destination

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

suricata: ET MALWARE Generic Stealer Config Download Request

suricata: ET MALWARE Generic Stealer Sending System Information M1

suricata: ET MALWARE Recordbreaker Stealer CnC Checkin

Downloads MZ/PE file

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Checks computer location settings

Loads dropped DLL

Checks computer location settings

Deletes itself

VMProtect packed file

Looks up external IP address via web service

Suspicious use of SetThreadContext

Process spawned unexpected child process

Socelars Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE ClipBanker Variant Activity (POST)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Checks for common network interception software

Blocklisted process makes network request

Downloads MZ/PE file

Drops file in Drivers directory

Executes dropped EXE

VMProtect packed file

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Program crash

Drops file in System32 directory

Suspicious use of SetThreadContext

Socelars

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6