General
-
Target
65f8ca11d9a18baf3fecf7797b9ba867.exe
-
Size
380KB
-
Sample
230412-p1slwacd25
-
MD5
65f8ca11d9a18baf3fecf7797b9ba867
-
SHA1
a2a02cab2a78cfeccd3f784e19a7760ef38e41df
-
SHA256
d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8
-
SHA512
da64c70967f3ba22f4ee8e6326debadf9f088b33f004fc7079a7a8d14286f9464383d3294c159d73f6a723f2173a51a0941e9faf1a9f6358c44e1bb7e8c29153
-
SSDEEP
6144:x/QiQXCFkm+ksmpk3U9j0I99OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3FP6m6UR0IPlL//plmW9bTXeVhDrE
Malware Config
Extracted
gcleaner
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/
Targets
-
-
Target
65f8ca11d9a18baf3fecf7797b9ba867.exe
-
Size
380KB
-
MD5
65f8ca11d9a18baf3fecf7797b9ba867
-
SHA1
a2a02cab2a78cfeccd3f784e19a7760ef38e41df
-
SHA256
d4e843d98c28ecc04d58b6369ddcf5cc4e61357a02a15edb6fc26cd039d7c9c8
-
SHA512
da64c70967f3ba22f4ee8e6326debadf9f088b33f004fc7079a7a8d14286f9464383d3294c159d73f6a723f2173a51a0941e9faf1a9f6358c44e1bb7e8c29153
-
SSDEEP
6144:x/QiQXCFkm+ksmpk3U9j0I99OGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7LT:pQi3FP6m6UR0IPlL//plmW9bTXeVhDrE
Score10/10-
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-