socelars | acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1

General

Target

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe
Size

1.9MB
MD5

db367c514ab76f8d78125f38173f16a3
SHA1

952cca78e59b6e2235d128c7f0669e22c552a83d
SHA256

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1
SHA512

a84f043167960be13874951a563c95453760c251e3fa1634a519ac4fa499250f826735ddc30e65fae9bc94cbe0eabeaf71794af6c7ce7d3d462a2d7d9a3df2a1
SSDEEP

24576:qTfEWQMHi9jzdDnAOnCncwDg6TX8lXqLwr63mYmHfAlOFpe8Qk+Th/DNs0o+:UcW4fTWTTslXqLw+3m5Al98uTBhs0o+

Score

10^/10

socelars discovery stealer

Malware Config

Extracted

Family

socelars

C2

http://www.zhxxjs.pw/Info/

http://www.allinfo.pw/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Executes dropped EXE 2 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmpDiskScan.exe

pid process

4532 acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
2796 DiskScan.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4284 2796 WerFault.exe DiskScan.exe

pid	pid_target	process	target process
4284	2796	WerFault.exe	DiskScan.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

pid	process
4532	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
4532	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

pid process

4532 acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exeacacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp

description	pid	process	target process
PID 1224 wrote to memory of 4532	1224	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 1224 wrote to memory of 4532	1224	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 1224 wrote to memory of 4532	1224	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
PID 4532 wrote to memory of 2796	4532	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 4532 wrote to memory of 2796	4532	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe
PID 4532 wrote to memory of 2796	4532	acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp	DiskScan.exe

C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe
"C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\is-QEFE0.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QEFE0.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp" /SL5="$A004E,1255174,809984,C:\Users\Admin\AppData\Local\Temp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4532

C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
"C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe"
3⤵
- Executes dropped EXE
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1112
4⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2796 -ip 2796
1⤵
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiskProtect190901\DiskScan.exe
Filesize
1.1MB

MD5
8b657eec7beb7b278c47cd4cdeffbe29

SHA1
39d23a0ebea029b9878346abb74bc31e9b77d2c3

SHA256
cd5c9d9a60600e130f6da42f661906909214d156d2500bd7d9657592eecf6019

SHA512
c52488f58d9822fa00885f254fc2738562cd0933b32e0edb3cd406cca33b150f185ab294bd860d3750e4c98ab8084effef4a562df9ada42ee385e71b7d4a9fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QEFE0.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QEFE0.tmp\acacad6f583f41aef322e29aad8e41c2d7ae4e9192fa450da2495934de1744c1.tmp
Filesize
2.5MB

MD5
b791cce5df067cdb8b8a8eae20d3c8f4

SHA1
9558d6e5de346d2e444ac869e885d101dcf94b83

SHA256
c4905f1105c0d90fa77d346c8b088ac6a1a18326c0d356f24fee45ef6484955e

SHA512
fada58d582d51406728cf6018110e0f8acef09b9f55fcb22252660524b98f33b7695c4f0cd3e4bfa6b47c4e82d7a335665a3be86f6ea3218ea30ffa7c025444f

Download Submit
memory/1224-132-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1224-134-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1224-141-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2796-138-0x0000000000000000-mapping.dmp

Download
memory/4532-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads