fabookie | b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03

General

Target

JaffaCakes118_b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03
Size

3.4MB
Sample

241224-sfar4szqcp
MD5

194572ede01daaccc5f7a617b5c08468
SHA1

b069072234d68d8ef01c49237c392735d45c4901
SHA256

b931c903ff14d82dce6daf9934209b5c71f982359847ed3e342e25fa88c99f03
SHA512

caa033d5a30e1c340455faebaf417d2bca2b0c95a24063df2bee78de8955d6d337f82bc16627583672e42f15022073ddbaaedc6f5a6984fdb65efb9f6a57bbae
SSDEEP

98304:EY+TyVZ3iK1s61b7GmCTajwC+PuBCeRrsPQb:EYgyr3N+613Hma2PZWwm

Score

10^/10

Malware Config

Extracted

Family

socelars

C2

http://www.chosenncrowned.com/

Targets

- Target
  
  OkEgjVmQ0rPYTjBDwBy70NyH.exe
- Size
  
  1.8MB
- MD5
  
  53074ccaf36bc24fd4286062f0cdac98
- SHA1
  
  2ca97c4d5dfacfc29d8feee90cd7de2eff651225
- SHA256
  
  d654c6c1643997b6c6d8e8133e867e52c3176f3e6ed3827ea5f4e29023817115
- SHA512
  
  4a47f2fad7dcf2fefb8fd4ed2714b90f13b4cfec755521db27fb131fce068168f31e1edb0d2dc7f5eb867f992063a37ce5022e7a8a894f906fc91ed1c1be6ef5
- SSDEEP
  
  49152:78492ViONKb0EK/vxtzuViYcqePo2GJKFg8764CTaCowwvgv:7fDuZDHr6ctUKFj764CTa1wggv
Score

7^/10

discovery spyware stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Osz8mRDYP0laXozOTuxyUiiF.exe
- Size
  
  1.4MB
- MD5
  
  0f01bbed1d28eba69835962f39d15261
- SHA1
  
  5538f0cc1959b565277060c53d2f5e4d633ed899
- SHA256
  
  3e34092ce27276c1b0cdeba1d3f8649258e55f23dfb92fcd9de6d52d5f559e91
- SHA512
  
  442a815bc696cdd57bd141565c0ccf983ff9d241129a4bd6ed19d629fd60a5207501abf3ef5c6f19e6e6eab79fc27059f04664809e7572173d3621a2bfb4436d
- SSDEEP
  
  24576:avp1T0ZhIjR+IXbtCOEqmb3tUJoEYdG/9QDMbh7zXIqnjvLZL:0pCuZ4OuD4+AhzXIqnjjZL
Score

10^/10

socelars discovery spyware stealer
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars family
  socelars
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up geolocation information via web service
  Uses a legitimate geolocation service to find the infected system's geolocation info.
behavioral3 behavioral4
- Target
  
  rUtfalBbvXy6eEmMrseqpFHx.exe
- Size
  
  2.0MB
- MD5
  
  93156ea35c0014003d9e87bf82a79b33
- SHA1
  
  1eacd5ec484996a4dab233cd569c54d1594fb3a9
- SHA256
  
  c6ac7d4850131a5422da8170ed1a51f939c4b3b1f312478498e8aa7df374e840
- SHA512
  
  024611682daf2ca96112253d1b2cf8afed22639363c9684353a89e396a89e032a4f7ce8236557416e27dd635e3ee82b332aa3e0bfeba0affc439bdd28a3ea322
- SSDEEP
  
  49152:7rEOLD0xW+aJVXfxu3Eosp/qw7RV+uY/:023Jtosp/qw7yb
Score

9^/10

discovery spyware stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6