Overview

overview

10

Static

static

Resetter.exe

windows7_x64

10

Resetter.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Resetter.exe

  • Size

    7.4MB

  • Sample

    220615-nb1eraghc6

  • MD5

    c96219ad872f2004a88945f60be8cee3

  • SHA1

    e54f60a1352ed6af4651cc0b4a0185466f7587f2

  • SHA256

    0225e586459e1d461bed227773b88f1a331c4ee7fd61943d590535533c1f7c6a

  • SHA512

    4e1b724eaf81c76fa4c08320ac7e7593f715d01ca9e5f8f3ff7835ba970486e12011df4f02c898187ff7c5197ae49af3b917920f6921aee56707abbc853bc69c

Score
10/10
ffdroidersocelarsevasionspywarestealersuricatatrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/hfber54/

Targets

    • Target

      Resetter.exe

    • Size

      7.4MB

    • MD5

      c96219ad872f2004a88945f60be8cee3

    • SHA1

      e54f60a1352ed6af4651cc0b4a0185466f7587f2

    • SHA256

      0225e586459e1d461bed227773b88f1a331c4ee7fd61943d590535533c1f7c6a

    • SHA512

      4e1b724eaf81c76fa4c08320ac7e7593f715d01ca9e5f8f3ff7835ba970486e12011df4f02c898187ff7c5197ae49af3b917920f6921aee56707abbc853bc69c

    Score
    10/10
    ffdroidersocelarsspywarestealersuricatavmprotectevasiontrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE Win32/FFDroider CnC Activity

      suricata: ET MALWARE Win32/FFDroider CnC Activity

      suricata

    • suricata: ET MALWARE Win32/FFDroider CnC Activity M2

      suricata: ET MALWARE Win32/FFDroider CnC Activity M2

      suricata

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks