socelars | 8e72678453341281ff6069284596b3eb78c616a97f400865bc5e34d922c359ba | Triage

Submit
Reports

Overview

overview

Static

static

7b4446bd6b...ff.exe

windows7-x64

1

7b4446bd6b...ff.exe

windows10-2004-x64

Sharing

General

Target

7b4446bd6b0466c89aeb637058458c9f8f870a152006301fc5ad2eb7ed04b7ff
Size

127KB
Sample

220803-yqefyaehb7
MD5

f715ba2d8cff1340d49c1a14d3d49a97
SHA1

d099c532177df5034845d4b53d812b42b3b914c8
SHA256

8e72678453341281ff6069284596b3eb78c616a97f400865bc5e34d922c359ba
SHA512

ca2e7096e11c52bed9e9f174fef0323795b0666cd0836ab47091dfd5580fe7be95f9d1d07c2d98356ab23010bb79d7a75e661e5954fee61237cec34d3adf3f80

Score

10^/10

socelars spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

7b4446bd6b0466c89aeb637058458c9f8f870a152006301fc5ad2eb7ed04b7ff.exe

Resource

win7-20220715-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

7b4446bd6b0466c89aeb637058458c9f8f870a152006301fc5ad2eb7ed04b7ff.exe

Resource

win10v2004-20220722-en

socelars spyware stealer vmprotect

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

- Target
  
  7b4446bd6b0466c89aeb637058458c9f8f870a152006301fc5ad2eb7ed04b7ff
- Size
  
  181KB
- MD5
  
  0ea509d2538dbd8b2e13ed3d4bc37878
- SHA1
  
  04e45ea70b426a2d52dfa0fcf0c5ca2bc2bb5beb
- SHA256
  
  7b4446bd6b0466c89aeb637058458c9f8f870a152006301fc5ad2eb7ed04b7ff
- SHA512
  
  d6770de999e6c6c05754616ada4ba79ec0aa853d19f30d8818c5d636845aab6be3ac2b8f967c3fcfe9169b1c441348d09cd45098d3e24d217062960d32254e51
Score

10^/10

socelars spyware stealer vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

socelarsspywarestealervmprotect

© 2018-2024

Terms | Privacy