General
-
Target
1b20313f658220423fb2ce962e1053b7d07d9139ead52c3df0c1cbdd33879818
-
Size
181KB
-
Sample
220803-yj7txaegf8
-
MD5
bab334ad674d8fa8d7eb42d25ac1bfd8
-
SHA1
9e4a212e030cc80191fdbfe8be23a478d90cb85a
-
SHA256
1b20313f658220423fb2ce962e1053b7d07d9139ead52c3df0c1cbdd33879818
-
SHA512
15fa58d6771a95fc716c2cc0e64d8191b8fdde953b1ada2c70ea6dab5efc7e58f48ef89126cd2f4e13734ad905b79a278d1e8c9958835413c8fa6da3366ec71c
Malware Config
Extracted
socelars
https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/
Targets
-
-
Target
1b20313f658220423fb2ce962e1053b7d07d9139ead52c3df0c1cbdd33879818
-
Size
181KB
-
MD5
bab334ad674d8fa8d7eb42d25ac1bfd8
-
SHA1
9e4a212e030cc80191fdbfe8be23a478d90cb85a
-
SHA256
1b20313f658220423fb2ce962e1053b7d07d9139ead52c3df0c1cbdd33879818
-
SHA512
15fa58d6771a95fc716c2cc0e64d8191b8fdde953b1ada2c70ea6dab5efc7e58f48ef89126cd2f4e13734ad905b79a278d1e8c9958835413c8fa6da3366ec71c
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Deletes itself
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-