socelars | 86040ddf448fb04e7efec05ad0e07bb2ff3d75d65520a4aedc32120cb018e2ce

General

Target

df5c5f0768e8d2f554467b930afda09c.exe
Size

930KB
MD5

df5c5f0768e8d2f554467b930afda09c
SHA1

6b00445635ef04d12b0bb8992c8cc1ae384383f4
SHA256

86040ddf448fb04e7efec05ad0e07bb2ff3d75d65520a4aedc32120cb018e2ce
SHA512

f23c63f52dd7728526c7c461335ea355d0746947a53ce7c6bf6226a7f78c530158851e3d269ba658404a8f4e52cebe8feb7ca441526ef73f752a9e5717ba7a27
SSDEEP

24576:7W5d/Zo0AI0kkHBIYRj4wUrFGtwl9Cs5ySq:716aJj4drFGw9bs5

Score

10^/10

socelars spyware stealer

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-2-0x0000000004BC0000-0x0000000004D23000-memory.dmp	family_socelars
behavioral2/memory/2620-3-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-4-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-13-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars
behavioral2/memory/2620-14-0x0000000004BC0000-0x0000000004D23000-memory.dmp	family_socelars
behavioral2/memory/2620-18-0x0000000000400000-0x0000000002D1F000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

58 iplogger.org
59 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
58	iplogger.org
59	iplogger.org

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2164	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3564	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3180	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
4048	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3548	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
116	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
5044	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
4600	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3136	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
1092	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
2980	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
1104	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
1520	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3564	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe
3468	2620	WerFault.exe	df5c5f0768e8d2f554467b930afda09c.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

748 taskkill.exe

pid	process
748	taskkill.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

df5c5f0768e8d2f554467b930afda09c.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeAssignPrimaryTokenPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeLockMemoryPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeIncreaseQuotaPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeMachineAccountPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeTcbPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSecurityPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeTakeOwnershipPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeLoadDriverPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemProfilePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemtimePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeProfSingleProcessPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeIncBasePriorityPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreatePagefilePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreatePermanentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeBackupPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeRestorePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeShutdownPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeDebugPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeAuditPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSystemEnvironmentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeChangeNotifyPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeRemoteShutdownPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeUndockPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeSyncAgentPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeEnableDelegationPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeManageVolumePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeImpersonatePrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeCreateGlobalPrivilege	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 31	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 32	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 33	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 34	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: 35	2620	df5c5f0768e8d2f554467b930afda09c.exe
Token: SeDebugPrivilege	748	taskkill.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

df5c5f0768e8d2f554467b930afda09c.execmd.exe

description	pid	process	target process
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	cmd.exe
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	cmd.exe
PID 2620 wrote to memory of 652	2620	df5c5f0768e8d2f554467b930afda09c.exe	cmd.exe
PID 652 wrote to memory of 748	652	cmd.exe	taskkill.exe
PID 652 wrote to memory of 748	652	cmd.exe	taskkill.exe
PID 652 wrote to memory of 748	652	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\df5c5f0768e8d2f554467b930afda09c.exe
"C:\Users\Admin\AppData\Local\Temp\df5c5f0768e8d2f554467b930afda09c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 780
2⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 820
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 820
2⤵
- Program crash
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 808
2⤵
- Program crash
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 944
2⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 956
2⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1128
2⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1488
2⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1536
2⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1560
2⤵
- Program crash
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1800
2⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1788
2⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1732
2⤵
- Program crash
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1848
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1864
2⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2620 -ip 2620
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2620 -ip 2620
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2620 -ip 2620
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2620 -ip 2620
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2620 -ip 2620
1⤵
PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2620 -ip 2620
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2620 -ip 2620
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620
1⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620
1⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2620 -ip 2620
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2620 -ip 2620
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2620 -ip 2620
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2620 -ip 2620
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3276 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2620-1-0x0000000004AC0000-0x0000000004B90000-memory.dmp

Filesize
832KB

Download
memory/2620-2-0x0000000004BC0000-0x0000000004D23000-memory.dmp

Filesize
1.4MB

Download
memory/2620-3-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-4-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-12-0x0000000004AC0000-0x0000000004B90000-memory.dmp

Filesize
832KB

Download
memory/2620-13-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download
memory/2620-14-0x0000000004BC0000-0x0000000004D23000-memory.dmp

Filesize
1.4MB

Download
memory/2620-18-0x0000000000400000-0x0000000002D1F000-memory.dmp

Filesize
41.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads