socelars | de9b275a5163b54b3647222d1bee0de42b05f3531555ceba25e278688f6bf9f3 | Triage

Submit
Reports

Overview

overview

Static

static

a358944bc9...dc.exe

windows7-x64

1

a358944bc9...dc.exe

windows10-2004-x64

Sharing

General

Target

a358944bc973b017d35987d2cb1c6a802a22569e36f30abeea3898861c5307dc
Size

178KB
Sample

220803-z8dsssfef2
MD5

7e7bb1ec46bd4b480bd0c40761fedb25
SHA1

e850c090ab5ef6b72251d5247d65929db2c681ec
SHA256

de9b275a5163b54b3647222d1bee0de42b05f3531555ceba25e278688f6bf9f3
SHA512

fa865efa5b3b08d3074bffe1520bdb57a5574c556d4d3438b51b21745a6800a152dd68b60d9f8aeb8481ec017e9dd3b831a810f16981eabd9dc516defad48057

Score

10^/10

socelars spyware stealer vmprotect

Static task

static1

Behavioral task

behavioral1

Sample

a358944bc973b017d35987d2cb1c6a802a22569e36f30abeea3898861c5307dc.exe

Resource

win7-20220718-en

windows7-x64

3 signatures

150 seconds

Behavioral task

behavioral2

Sample

a358944bc973b017d35987d2cb1c6a802a22569e36f30abeea3898861c5307dc.exe

Resource

win10v2004-20220721-en

socelars spyware stealer vmprotect

windows10-2004-x64

27 signatures

150 seconds

Malware Config

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/dkfjrg725/

Targets

- Target
  
  a358944bc973b017d35987d2cb1c6a802a22569e36f30abeea3898861c5307dc
- Size
  
  339KB
- MD5
  
  3ead1d313fc2e08000b7cd98db1d8e62
- SHA1
  
  9ae4f6b7c73e478b95d0a63efb35c379cc3de2fe
- SHA256
  
  a358944bc973b017d35987d2cb1c6a802a22569e36f30abeea3898861c5307dc
- SHA512
  
  1baa452e1fc886ffe3d706b46c36342c0c42677e552dc594a4f7e91c27e81f7c81f46fc351262a16dbb3fddb06f67c529fb3b9f1faba903f43c4e10185aa5443
Score

10^/10

socelars spyware stealer vmprotect
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

behavioral2

socelarsspywarestealervmprotect

© 2018-2024

Terms | Privacy