General
-
Target
a9b900fea651b9fecf6782c923361c40a69392d5f036dccb36073929e72faa93
-
Size
181KB
-
Sample
220803-r2d6zsdbdq
-
MD5
ea83cc70c6a935f0e1c904ac78072a00
-
SHA1
9a0e31d59bc1f786f5095d96a1fd4194ced41c2c
-
SHA256
a9b900fea651b9fecf6782c923361c40a69392d5f036dccb36073929e72faa93
-
SHA512
a7e391f910c4b3cbec815ef6f64d61f8e7b7ac6310d3cfb4bbe8b0a65885ed240d960af4b1880d482cf75c8df4d744ec840ef39a928d82d81ec27fae95ca8e93
Malware Config
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
a9b900fea651b9fecf6782c923361c40a69392d5f036dccb36073929e72faa93
-
Size
181KB
-
MD5
ea83cc70c6a935f0e1c904ac78072a00
-
SHA1
9a0e31d59bc1f786f5095d96a1fd4194ced41c2c
-
SHA256
a9b900fea651b9fecf6782c923361c40a69392d5f036dccb36073929e72faa93
-
SHA512
a7e391f910c4b3cbec815ef6f64d61f8e7b7ac6310d3cfb4bbe8b0a65885ed240d960af4b1880d482cf75c8df4d744ec840ef39a928d82d81ec27fae95ca8e93
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-