socelars | 5fa6e5ada10cb75ec62b8679b24900cfa9e1bb997b6080d92f2ebd27cf061e30 | Triage

Submit
Reports

Overview

overview

Static

static

68779e42e5...0d.exe

windows7-x64

1

68779e42e5...0d.exe

windows10-2004-x64

Sharing

General

Target

68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
Size

127KB
Sample

220803-vzdn8adeh3
MD5

a9b84b91620fed58f31e0507de0b2555
SHA1

dc8c221bd30ad5b3818054d07afe6cbba5ccc537
SHA256

5fa6e5ada10cb75ec62b8679b24900cfa9e1bb997b6080d92f2ebd27cf061e30
SHA512

cf999f22addc08eebed6060830a1947b17f9d6c823b3824b33d5b10c9255cd7783f116ecf3910578db4951c9aa5d78c0cdb4d2757eb2e375f3ef87a15a570a7d

Score

10^/10

socelars spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d.exe

Resource

win7-20220715-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d.exe

Resource

win10v2004-20220721-en

socelars spyware stealer vmprotect

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

- Target
  
  68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
- Size
  
  181KB
- MD5
  
  0e67ced6b45068364af5390fbd5b9a5f
- SHA1
  
  855c6894c29034e52b281a30efa26fa552cbd06a
- SHA256
  
  68779e42e50d7a492b0c2e15e12a734f3a0189317ab749a7f8980260a80a520d
- SHA512
  
  558c15769af80e6c2fe78e00f50ba65a1d086491be20bd37be12529bd0f07f5cb3834c9ec34642de8addd58f9b504fb5d8a488d4055b38238460e461ffc31b58
Score

10^/10

socelars spyware stealer vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

socelarsspywarestealervmprotect

© 2018-2024

Terms | Privacy