General

  • Target

    2024-07-25_f1f70ba64226076ff5ccc297301d7c93_avoslocker_wapomi

  • Size

    1.5MB

  • Sample

    240725-l7ag4avhnh

  • MD5

    f1f70ba64226076ff5ccc297301d7c93

  • SHA1

    68cfbd7f5888c0a89671a350db95d7b7b9dc8e26

  • SHA256

    8c28fb5d64ea3cbbcb5da19eb30e6ec8f2acb4c16e0f935275117f49ec4b4b19

  • SHA512

    f2de772227274695756afae89fa9fdbeb8c313ca5f3a7f365cbb7c9d070ea7e001ac2c75f8063219ec0ff9d086b3000ca6e6d23e9f18b6aed9cd331c7a8e3809

  • SSDEEP

    24576:Mwpk4V9rRM1oDb+enGs2Q6E9ZBJRPHJTrFSJ84ufAQKF2fJmg:5pRc1OMcV/sJjAAQKYfYg

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/

Targets

    • Target

      2024-07-25_f1f70ba64226076ff5ccc297301d7c93_avoslocker_wapomi

    • Size

      1.5MB

    • MD5

      f1f70ba64226076ff5ccc297301d7c93

    • SHA1

      68cfbd7f5888c0a89671a350db95d7b7b9dc8e26

    • SHA256

      8c28fb5d64ea3cbbcb5da19eb30e6ec8f2acb4c16e0f935275117f49ec4b4b19

    • SHA512

      f2de772227274695756afae89fa9fdbeb8c313ca5f3a7f365cbb7c9d070ea7e001ac2c75f8063219ec0ff9d086b3000ca6e6d23e9f18b6aed9cd331c7a8e3809

    • SSDEEP

      24576:Mwpk4V9rRM1oDb+enGs2Q6E9ZBJRPHJTrFSJ84ufAQKF2fJmg:5pRc1OMcV/sJjAAQKYfYg

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops Chrome extension

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks