socelars | 62f0b185cba6b658bf7f21ca33ac22f943d2162efb0b914fe11cba4b286aeb9c | Triage

Submit
Reports

Overview

overview

Static

static

efd516cf87...29.exe

windows7-x64

1

efd516cf87...29.exe

windows10-2004-x64

Sharing

General

Target

efd516cf87d276f82b2f274ad2bb75e805a215cb1a57ad8cc3ee5a77efbc3329
Size

128KB
Sample

220803-n8hafaagh3
MD5

f4392961935c0a749c8ea1b59a38914e
SHA1

8e757c7c243c258e6c6158ebe7498e00557a5ad5
SHA256

62f0b185cba6b658bf7f21ca33ac22f943d2162efb0b914fe11cba4b286aeb9c
SHA512

39d0050cc3d591d944fa1319953d570a8a2683ba2e89a938340ca6acfb3aee8ba9b104739925132345e39f610053b9b7f650146d7dab1bbe1584be641031799a

Score

10^/10

socelars spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

efd516cf87d276f82b2f274ad2bb75e805a215cb1a57ad8cc3ee5a77efbc3329.exe

Resource

win7-20220715-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

efd516cf87d276f82b2f274ad2bb75e805a215cb1a57ad8cc3ee5a77efbc3329.exe

Resource

win10v2004-20220722-en

socelars spyware stealer vmprotect

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

- Target
  
  efd516cf87d276f82b2f274ad2bb75e805a215cb1a57ad8cc3ee5a77efbc3329
- Size
  
  181KB
- MD5
  
  cc4d8aec6dc407401d6681cf10007180
- SHA1
  
  f617e6cf5ed2c3d63bd25770d40aa33fa93c6454
- SHA256
  
  efd516cf87d276f82b2f274ad2bb75e805a215cb1a57ad8cc3ee5a77efbc3329
- SHA512
  
  ea61f35bb3639a1e0235c175ce7fa1f5cbb7b565fafd6588db8dde035cf545f67ae1c712de3ff1fb3d7e574dbb3bf5662c6089a01bf0e70e51130115714ff70d
Score

10^/10

socelars spyware stealer vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

socelarsspywarestealervmprotect

© 2018-2024

Terms | Privacy