General

  • Target

    file

  • Size

    290KB

  • Sample

    220912-r3zt3shcbr

  • MD5

    69dd68d8af98b445b6849f3718f4e9d3

  • SHA1

    7670acff987b7d6f4fd12bf3035ed933fc2aff12

  • SHA256

    9f79759f9f5e4c351421e51c313c7ed1755fc34261c0cf9a215f28c8cc7ebe10

  • SHA512

    bb62e34fd30d22851ff72c8f13251ca26acd0c99babb0b8664cf8bf3f87966871e68fcad6ee45c648964ef27cef522af19e2c55368426532fa170eb4c87275a4

  • SSDEEP

    6144:1yoGYmq7AO5Npk9Hk/7CysQEO5NbVnPZaAYL:1mY/L5Nmhk/7CysQRNbVnPK

Malware Config

Extracted

Family

socelars

C2

https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/

Targets

    • Target

      file

    • Size

      290KB

    • MD5

      69dd68d8af98b445b6849f3718f4e9d3

    • SHA1

      7670acff987b7d6f4fd12bf3035ed933fc2aff12

    • SHA256

      9f79759f9f5e4c351421e51c313c7ed1755fc34261c0cf9a215f28c8cc7ebe10

    • SHA512

      bb62e34fd30d22851ff72c8f13251ca26acd0c99babb0b8664cf8bf3f87966871e68fcad6ee45c648964ef27cef522af19e2c55368426532fa170eb4c87275a4

    • SSDEEP

      6144:1yoGYmq7AO5Npk9Hk/7CysQEO5NbVnPZaAYL:1mY/L5Nmhk/7CysQRNbVnPK

    • Detects Smokeloader packer

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks