socelars | 3673f09e36c44e87ce76082c900906e8abf001a9e3459ab1cf995cdf9c1de54f | Triage

Sharing

General

Target

3673f09e36c44e87ce76082c900906e8abf001a9e3459ab1cf995cdf9c1de54f
Size

729KB
Sample

240831-l2h72syakm
MD5

d6d852955ac09f1d8aa3dd24e2250f00
SHA1

2e3ce6ef5facf77a5cbda0a1a5ce3148afdf9651
SHA256

3673f09e36c44e87ce76082c900906e8abf001a9e3459ab1cf995cdf9c1de54f
SHA512

336fe7c5e527b99c17a99ec8844086adc0e29dd028cc177db1b19d93eb91e89928ec77e25bfc7f8319b50f495dc13ef6ff8813d8bece39512d10992bbcb78532
SSDEEP

12288:Z3ZkHW0e9BF9QYOP0o5M9QjQCo6kDlG4W/xrQDQM/01Nwv9+GXaQxnDXZHcd:ZpF3Sso5tYpDl8xiOwFPXlxDJHg

Score

10^/10

socelars credential_access discovery spyware stealer

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Targets

- Target
  
  34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1
- Size
  
  1.4MB
- MD5
  
  6ed21f7aa1df0769e185b6dba72084f9
- SHA1
  
  0cb7edceb3b79b6e723144789b4c6549daa57f05
- SHA256
  
  34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1
- SHA512
  
  bbfb5f5660b185ef5cf3ff141d36f0f88c427eca9fe4996b82fbc0f340944bbb3fc2dccce45da1445e76b3f63ecdacfa73ed932d444dcb13abb256073c815737
- SSDEEP
  
  24576:axpXPaR2J33o3S7P5zuHHOF26ufehMHsGKzOYffEMSXkdOZ1w6:apy+VDr8rCHSXuOZu6
Score

10^/10

socelars credential_access discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

socelarscredential_accessdiscoveryspywarestealer

behavioral2

socelarscredential_accessdiscoveryspywarestealer