General

  • Target

    673eb11c4cd784bdc37427f244469103362bab82831f65336f42cd294643d8a4

  • Size

    205KB

  • Sample

    220803-23v61agde4

  • MD5

    20d1ed91f7e18e39ca1db949fd87c2bc

  • SHA1

    11655b9fd30ad3682fcb4bce822e60c6486f12e8

  • SHA256

    673eb11c4cd784bdc37427f244469103362bab82831f65336f42cd294643d8a4

  • SHA512

    afe35e816646e0ec2c559b8e0af42b2d213b3f92936f1ef7cce6e8ff0aa71932de6ba6ca894a97bce8d7829defff74042fc1796152033e0f6a5ea8da771b1205

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

    • Target

      673eb11c4cd784bdc37427f244469103362bab82831f65336f42cd294643d8a4

    • Size

      205KB

    • MD5

      20d1ed91f7e18e39ca1db949fd87c2bc

    • SHA1

      11655b9fd30ad3682fcb4bce822e60c6486f12e8

    • SHA256

      673eb11c4cd784bdc37427f244469103362bab82831f65336f42cd294643d8a4

    • SHA512

      afe35e816646e0ec2c559b8e0af42b2d213b3f92936f1ef7cce6e8ff0aa71932de6ba6ca894a97bce8d7829defff74042fc1796152033e0f6a5ea8da771b1205

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook profiles

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Tasks