General

  • Target

    65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

  • Size

    1.7MB

  • Sample

    240724-slrb2svhqe

  • MD5

    7bb46178f57f6ea01347b1790d7bfa27

  • SHA1

    bad79fb2e79f12feabd5249636537842e45b9bef

  • SHA256

    ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467

  • SHA512

    86ea26f7f142020e1738de929b6de90400cfa7a1e7b8f69aa62c46b98c220e8f9966eb319bae04fef5c23cea21935d4f10c944e16e4bce4e2e47e5d7c30d9da5

  • SSDEEP

    24576:DKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/ExKFY/fwg:vgpG57R8InDPcsxKC/fwg

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Targets

    • Target

      65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exe

    • Size

      1.7MB

    • MD5

      7bb46178f57f6ea01347b1790d7bfa27

    • SHA1

      bad79fb2e79f12feabd5249636537842e45b9bef

    • SHA256

      ded8995ef3dc7ea298fa16e1733b033e06261a76e1639430d4808600884c7467

    • SHA512

      86ea26f7f142020e1738de929b6de90400cfa7a1e7b8f69aa62c46b98c220e8f9966eb319bae04fef5c23cea21935d4f10c944e16e4bce4e2e47e5d7c30d9da5

    • SSDEEP

      24576:DKAgpBGV2HpWHuREjDnI2AuADZ8KvqC75H2dtDPc/ExKFY/fwg:vgpG57R8InDPcsxKC/fwg

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks