socelars | 048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514

Analysis

max time kernel
168s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7zS.sfx.exe
Size

7.1MB
MD5

ba081b0e14f236799ac98b4704b299d2
SHA1

b4a15a7359431171610ef629be5c5e9f18c9c6db
SHA256

048c51cddd7226942b94b0b406e6134fb17766eda673f1dd713fee7c845f4514
SHA512

c9eeb160323f467ab0727708c1110735bb5aae2c6c4fd7e1ae6c2dea1e2d175ebcfdb1b602e90983ebaeee723070fa4947c2c898711bdfaa6ca744eeba4d1bc5
SSDEEP

196608:x9nqZY7+ydwDEyrghwssarM1NDfvCAmoxUVQvk:x9nqg+2QEkgyss/N7aKsWk

Score

10^/10

socelars agilenet stealer vmprotect

Malware Config

Extracted

Family

socelars

https://sa-us-bucket.s3.us-east-2.amazonaws.com/ujfreids61/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e7f5-58.dat	family_socelars

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	7zS.sfx.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	setup_install.exe

Loads dropped DLL 1 IoCs

pid	Process
5012	setup_install.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x000300000001e7e8-47.dat	agile_net

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000200000001e7ef-52.dat	vmprotect

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 5012	4008	7zS.sfx.exe	95
PID 4008 wrote to memory of 5012	4008	7zS.sfx.exe	95
PID 4008 wrote to memory of 5012	4008	7zS.sfx.exe	95
PID 5012 wrote to memory of 3032	5012	setup_install.exe	101
PID 5012 wrote to memory of 3032	5012	setup_install.exe	101
PID 5012 wrote to memory of 3032	5012	setup_install.exe	101
PID 5012 wrote to memory of 5076	5012	setup_install.exe	103
PID 5012 wrote to memory of 5076	5012	setup_install.exe	103
PID 5012 wrote to memory of 5076	5012	setup_install.exe	103
PID 5012 wrote to memory of 4840	5012	setup_install.exe	105
PID 5012 wrote to memory of 4840	5012	setup_install.exe	105
PID 5012 wrote to memory of 4840	5012	setup_install.exe	105
PID 5012 wrote to memory of 4476	5012	setup_install.exe	104
PID 5012 wrote to memory of 4476	5012	setup_install.exe	104
PID 5012 wrote to memory of 4476	5012	setup_install.exe	104
PID 5012 wrote to memory of 1976	5012	setup_install.exe	106
PID 5012 wrote to memory of 1976	5012	setup_install.exe	106
PID 5012 wrote to memory of 1976	5012	setup_install.exe	106
PID 5012 wrote to memory of 4912	5012	setup_install.exe	107
PID 5012 wrote to memory of 4912	5012	setup_install.exe	107
PID 5012 wrote to memory of 4912	5012	setup_install.exe	107
PID 5012 wrote to memory of 3548	5012	setup_install.exe	108
PID 5012 wrote to memory of 3548	5012	setup_install.exe	108
PID 5012 wrote to memory of 3548	5012	setup_install.exe	108
PID 5012 wrote to memory of 4780	5012	setup_install.exe	109
PID 5012 wrote to memory of 4780	5012	setup_install.exe	109
PID 5012 wrote to memory of 4780	5012	setup_install.exe	109
PID 5012 wrote to memory of 4152	5012	setup_install.exe	110
PID 5012 wrote to memory of 4152	5012	setup_install.exe	110
PID 5012 wrote to memory of 4152	5012	setup_install.exe	110
PID 5012 wrote to memory of 5108	5012	setup_install.exe	116
PID 5012 wrote to memory of 5108	5012	setup_install.exe	116
PID 5012 wrote to memory of 5108	5012	setup_install.exe	116
PID 5012 wrote to memory of 1444	5012	setup_install.exe	115
PID 5012 wrote to memory of 1444	5012	setup_install.exe	115
PID 5012 wrote to memory of 1444	5012	setup_install.exe	115
PID 5012 wrote to memory of 912	5012	setup_install.exe	114
PID 5012 wrote to memory of 912	5012	setup_install.exe	114
PID 5012 wrote to memory of 912	5012	setup_install.exe	114
PID 5012 wrote to memory of 920	5012	setup_install.exe	113
PID 5012 wrote to memory of 920	5012	setup_install.exe	113
PID 5012 wrote to memory of 920	5012	setup_install.exe	113
PID 5012 wrote to memory of 4112	5012	setup_install.exe	112
PID 5012 wrote to memory of 4112	5012	setup_install.exe	112
PID 5012 wrote to memory of 4112	5012	setup_install.exe	112
PID 5012 wrote to memory of 3356	5012	setup_install.exe	111
PID 5012 wrote to memory of 3356	5012	setup_install.exe	111
PID 5012 wrote to memory of 3356	5012	setup_install.exe	111
PID 3032 wrote to memory of 4452	3032	cmd.exe	117
PID 3032 wrote to memory of 4452	3032	cmd.exe	117
PID 3032 wrote to memory of 4452	3032	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\7zS.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\7zS.sfx.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad6b95e3_be16fe.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad8262f6_79a499f590.exe
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad771e8f_923347.exe
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bad9333c8_8e10071d.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badb7af85_623761ba41.exe
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badcb43a3_a6c0e514.exe /mixtwo
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bade488e6_dadba0.exe
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4badf31e77_62aa4e13bb.exe
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae89fe45_b5ccf628.exe
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae4d2a9c_cc09b024e.exe
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae2a134b_4fa915d.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae1cd5ec_f0e751fd26.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae132fe9_b10406e779.exe
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 62a4bae02cdda_a09bb3e.exe
    3⤵
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bad6b95e3_be16fe.exe

Filesize
157KB

MD5
3f1b557fe9b21d6f6e1930732bddbca5

SHA1
89ea657b120fccda8ca35ffc13c14010210c3878

SHA256
c8aca33eb3be35e343d86533c1f8c828231ef520efd2378dd2f09945544d9e54

SHA512
a598fab8a79213c0981c27916da406ad081724ecaed5f47bb13cdc2882f2543116fd1b05537fd5f856242c780d948e620944a1003e54a7711ee12e1b1bfa7fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bad771e8f_923347.exe

Filesize
242KB

MD5
2db62b3e5088b61ead161e0482b2f6f2

SHA1
a13b707e24ae6269631ce1099263cbc793f4b2a1

SHA256
c277eac5a2f147b839219c2327a2d7e6c85be9dabe91c8a92b553e2cadc9e3c3

SHA512
9c287e38c61c28ee0fce45b8734a979d6c74dbdd8648327ac7f7d24e9a2c07736eff70f2f8ca33ddd6196d4b629865ae35abd0de8e784e989179618aa1d72774

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bad8262f6_79a499f590.exe

Filesize
312KB

MD5
0cad21764fe956f3028096ff3ff37549

SHA1
09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

SHA256
f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

SHA512
4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bad9333c8_8e10071d.exe

Filesize
196KB

MD5
10f718551ce15ce0c355b32669b51d2f

SHA1
9df3e355231d2f4ff80f0201d1ae05ea151142eb

SHA256
74328b4664781c7c6d58bf597a0be968f198fbb199bd0c3425ff575a3f52d688

SHA512
19c9ce8541cb500652aab74d555c8be43594dd423a49e59284b129fe0e9d670c23a274942841444429a25082970486c13c95f254278fdf2a25a26e1bff831ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4badb7af85_623761ba41.exe

Filesize
1.7MB

MD5
687970ee527c342266c4d3ba85eb31fe

SHA1
df65ac38c3ad39d703f8af7e62750420bfca597a

SHA256
55a3d8c8e10550fcf0cb0a04282661333791d9646b0bc47db3cec8a82fd96f6a

SHA512
5d89e9636d320a749c2462a32d891e64ce531fb8033d085ca52ea8007ab08ee1e248a370ee1433e9dcc4216d0d8aafad4c2d5de28079235688eae632772bd2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4badcb43a3_a6c0e514.exe

Filesize
311KB

MD5
34ff1645f6865dee9a1ef114759ca48f

SHA1
7461a01ce24ba2e907cb28b21e0653b5392687d5

SHA256
909b86bc2ab0bbb6860422827a3827f7bd0b56efe17c077fd0709bce1d43aec7

SHA512
6b62cd81a7be8480739a4edb4551a32df167ca167120072bc6f5dc19a587e197d1ff0ffe3e5b68c2d7a32ea6956b867556580b5e28411d658edccdb178fea3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bade488e6_dadba0.exe

Filesize
3.7MB

MD5
e77f09a338e643ee05ad09e367eedf73

SHA1
6777cd291ece93e16aa95c3e60b63d46b1b142bd

SHA256
f32c3414f14e0b4c08183af08702736a2ed18c99101d5ee1bc5bc5e8ee3c8982

SHA512
53f59267e4bfe862e51edb0fd7d356485a7349e7ccd6439c6c88bda921a67909a36efd1690d06fe3c30c8a4433d5c4c1a34c30b928cb29ec45b08045ef4f5747

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4badf31e77_62aa4e13bb.exe

Filesize
196KB

MD5
92f5ca1832c018a5761f26e061f701d0

SHA1
f566a7544b02fe7dc64792bf65db81639f804b7e

SHA256
a39354bba664f79e28ec6792cea228188420d7a30b140a47506783b237d3a572

SHA512
2f4bce853e50f2a883fa97be81fb31c79fee6216378f02b504ca4316b4b9e51bfd4d582a760b9f72ed945e58281d4db5a4126dca7b7dcd3d0c016ac45e4f0799

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae02cdda_a09bb3e.exe

Filesize
268KB

MD5
20dc2240fc07dcc1b82c274cdd809d33

SHA1
10741d21ffaaff7cf2ba4464ee7298072a2394a9

SHA256
8ee483e0317d795b650f75861c0145707da9e0c2a73cc97760aea32d74209e5f

SHA512
efd1d9b7891b365916c5c600df07f6993eda62179d2c179d1d82438b30e54d6590c17d60328a04d16e40d829b31d44383760a1c6df3892f9bcc35f26a3ee905c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae132fe9_b10406e779.exe

Filesize
752KB

MD5
e57b3f11829f7f85d0e482043f8a6bd4

SHA1
5a7e389a273d75c845f754039d3faa15e0aac501

SHA256
7195edba387ee58556e027f17bc09f4b43db205ab89485e90863af84f2252517

SHA512
b9f977908b23559d57076a019117324c684d9f47542532fdcd0bb49b17e7079a117faa800c1cd2a019becc980f4553f4c8ae83a36658a96d0cbe8f2241f68de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae1cd5ec_f0e751fd26.exe

Filesize
212KB

MD5
8595eb1a87c49b9b940b46524e1fdf87

SHA1
59622f56b46c724876fce597df797512b6b3d12d

SHA256
77596040b690af4836406a17c20a69cd5093fd0c470b89df209a26694141bd4c

SHA512
cd6a7e25982bdf24ebc34c15b1465dfd8ed7be51f6a8d529309f5aabc811e6a6dd7914c4d6353add01daef8c1f4aaee1002c3f39937998df21d3abadb50535d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae2a134b_4fa915d.exe

Filesize
235KB

MD5
64ecfe6ca54439c864efaac021d35cf0

SHA1
92e8c181feaf8babc4db771ca33093177a67dc02

SHA256
6b0c5adaaca511a026245c67a45e18ebe0f208a33b35ea5dff14776c4e2aded4

SHA512
e1bc103efe3b6ba3722b63781dd0476ed6c036014f870b1913dac6fe86c13933d2dc8930f42782e6aae5119d21f3ec0bef886de026945ada006e228054bd2b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae4d2a9c_cc09b024e.exe

Filesize
1.4MB

MD5
c8cc1b2dc76454583c3968d96af6d095

SHA1
bcd0ca7a524dbf55345baa6a0622acee27136eac

SHA256
03bc61c86383045ec0d07802596d98ec5b869144fb9f41330332058d340183f3

SHA512
c7c99a9f4d953373710f4cc3b80b3f8d36eee86491755437ec2a9648df08a804fc03b4ca769cb5df3751643f1c6c44b0907e73ff1947869dfcf9598368d9f883

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\62a4bae89fe45_b5ccf628.exe

Filesize
78KB

MD5
b735af19c1782c4fbeb037fca859b8fa

SHA1
171da3e442bd4aa2336dc197eecca615c89b07cb

SHA256
6515d15d618b349a68bc2456f3a9eecc6b0b64aaac9d662c1b3f702ffba3c054

SHA512
96c3c31a08952150e74f5ee16acf51495f06d309dfd58bf6ac8a7cb1aff0dbc027901c7bb60d4b4d3246610e13d624b342041c3ead85fc713f5ed3e702f31183

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8AF5CAC8\setup_install.exe

Filesize
2.1MB

MD5
57ce0037afbf6d9c2b519127df0d6e68

SHA1
739e874190d9f5e3427a107bf89fa06014f49600

SHA256
22a5982c64b0f2fbbfadfc2dfe2387fbbbcc7985552aac146b74ae9e49fbdb5c

SHA512
fe34fa37e890f69118838e697e4ff128e338fb14dfe827a98ca1cee4c7d98fe2432c86620c300b6fd2a7af15fe2e1df02f7ecc48536ab41f42e2cfe3d98a87b1

Download Submit
memory/4452-64-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4452-65-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/4452-66-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/4452-67-0x0000000005500000-0x0000000005536000-memory.dmp

Filesize
216KB

Download
memory/5012-60-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/5012-61-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5012-45-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download