General

  • Target

    592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e

  • Size

    265KB

  • Sample

    220912-3lch1aedb7

  • MD5

    c2c2dac3745bf4298068ba62eaff1617

  • SHA1

    7be6fc92d73c13c47f1e1abbf8cc3ead7b13a615

  • SHA256

    592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e

  • SHA512

    a4faa70e6ba989b73528c5d959af7fd8b8bd1aefdbf2ff412336fb2cd96ee13ca6ea05f8a7f143e2a5712984b027b4567c07b98e35ddac491c73e6dd6f2e5394

  • SSDEEP

    3072:HGl7nSf8FWmbF+y5lReiKgBOPFlKcvqSBHaSGzw87xq9JYSo54bDMelrr3x5Lo5:Z6F+y5lsiK5PFlKcSgGzwSxy7HHR958

Malware Config

Extracted

Family

socelars

C2

https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/

Targets

    • Target

      592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e

    • Size

      265KB

    • MD5

      c2c2dac3745bf4298068ba62eaff1617

    • SHA1

      7be6fc92d73c13c47f1e1abbf8cc3ead7b13a615

    • SHA256

      592ae0c8dc2a2895a4dc6d44465d45bd44d6b7596bd60e9862b942c8d03e594e

    • SHA512

      a4faa70e6ba989b73528c5d959af7fd8b8bd1aefdbf2ff412336fb2cd96ee13ca6ea05f8a7f143e2a5712984b027b4567c07b98e35ddac491c73e6dd6f2e5394

    • SSDEEP

      3072:HGl7nSf8FWmbF+y5lReiKgBOPFlKcvqSBHaSGzw87xq9JYSo54bDMelrr3x5Lo5:Z6F+y5lsiK5PFlKcSgGzwSxy7HHR958

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks