MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Socelars
Vendor detections: 12
| SHA256 hash: | 0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c |
|---|---|
| SHA3-384 hash: | f8c8e8d40659048a890eb5c6fd60c5724d0ffaf5cab6b0b90910620abb5760c66f748f6cdc0e32a372b7ee0bbfeeb7e2 |
| SHA1 hash: | 4b42db8af96b19c890fb47d494983da9dbff6090 |
| MD5 hash: | 55694841ce219e189883689911ee9291 |
| humanhash: | lactose-vermont-yellow-oxygen |
| File name: | 0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c |
| Download: | download sample |
| Signature | Socelars |
| File size: | 6'006'682 bytes |
| First seen: | 2022-03-17 05:45:05 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 32569d67dc210c5cb9a759b08da2bdb3 (122 x RedLineStealer, 42 x DiamondFox, 37 x RaccoonStealer) |
| ssdeep | 98304:xomZIRFJvSXKBCC8Yw81+b2R0fRfwG2pwMCnVIlanmf1dxreY16nz8kxWhbU96BP:xom2RzvJCC8p8MaOfRfwJcVIl59PreYv |
| Threatray | 6'841 similar samples on MalwareBazaar |
| TLSH | T1505633E536F990FBE5612A74759A2BA9A5FB131C0535C53302CBBC0CBF9D94660AFC02 |
| File icon (PE): |  |
| dhash icon | 848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox) |
| Reporter |  JAMESWT_WT |
| Tags: | exe hhiuew33-com Socelars |
Intelligence
File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c
Verdict:
No threats detected
Analysis date:
2022-03-17 06:17:00 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
5/10
Tags:
n/a
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Suspicious
Threat level:
5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Verdict:
Malicious
Result
Threat name:
RedLine SmokeLoader Socelars onlyLogger
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.AgentTesla
Status:
Malicious
First seen:
2022-03-02 19:18:45 UTC
File Type:
PE (Exe)
Extracted files:
366
AV detection:
26 of 38 (68.42%)
Threat level:
5/5
Verdict:
malicious
Similar samples:
+ 6'831 additional samples on MalwareBazaar
Result
Malware family:
socelars
Score:
10/10
Tags:
family:onlylogger family:redline family:smokeloader family:socelars botnet:media24225 botnet:vnew2 aspackv2 backdoor discovery infostealer loader spyware stealer suricata trojan upx
Behaviour
Checks SCSI registry key(s)
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
OnlyLogger Payload
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE MSIL/TrojanDownloader.Agent.JVN CnC Checkin
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Malware Config
C2 Extraction:
https://frertge.s3.eu-west-2.amazonaws.com/asdhbf/
http://host-data-coin-11.com/
http://file-coin-host-12.com/
92.255.57.154:11841
116.203.252.195:11112
http://host-data-coin-11.com/
http://file-coin-host-12.com/
92.255.57.154:11841
116.203.252.195:11112
Unpacked files
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
SH256 hash:
b6b2ade3c97669a1eee58fdb3aaacdb63c31f737242e3ad21f55503a8743bacc
MD5 hash:
fadb35ad1ad1d26549b1f8aa1ae3178c
SHA1 hash:
347b1d2523d5ec46fc736a2ee68e1a51ea299b2a
SH256 hash:
756eabb5cd8ff2d5e9c99d92bdcac68b9df69b7a220a01bd72a90b9c94bcb597
MD5 hash:
d66372b02db2aae4902f1dff045f6b7c
SHA1 hash:
5d501b447043bdff2de8bf092f063fd03c3cf6f3
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
SH256 hash:
7cb44671c2b4bb56f99cde175d969c903a58bbf06104e8ad456419761f264821
MD5 hash:
b653343e5c701720bb92ed19abef4f81
SHA1 hash:
968602dd34add2a908cb07b382438c9e5c131d16
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
SH256 hash:
0905e503bbd1b44298fbd25edd73928d8420f562484d78ef4eedfbda662c9d4c
MD5 hash:
74f2f7d9a140d455630cfd3e1ab5d3b0
SHA1 hash:
8efa0f403f6a1ef8766b70e33e7fe22e6e4a77bd
SH256 hash:
79fdae8cd42b8bab3280b4b253e800594415d81fdee1d0a4333eca04bc60c78d
MD5 hash:
22d245b66d4f548d414103be37257053
SHA1 hash:
60bc4e063440e6cfb88db37012c38502eb4e63a6
SH256 hash:
8e2a9d3dc7412215c3eb1916dedb7e822059db80282d2f70b8262464077d4919
MD5 hash:
2aa264eb38e19221322155c2e65c97d8
SHA1 hash:
3381da98bc42b58274e06d1b72a32eee721175f7
SH256 hash:
abca3ef4971ea9cf196e429902da91fb3f0db2b502ed8dbe33bee639bb4d0b2c
MD5 hash:
e63b0af4990bdfb854b09570164175e1
SHA1 hash:
2363fd653143e88f92e8bc388d7cc5ed28e66ac2
SH256 hash:
d9f482d843635c8b747bef2ceb43167ed7e15a4e4939054a7e6354cdf1cf7b0e
MD5 hash:
57bade7e373b8bd3ed607c0c0d30637b
SHA1 hash:
184c9c693021346ea8da800c2045aca4cf4029b7
SH256 hash:
69b3902468ca70c2e2ad93559482d009fbc7cba297e596214ad4098450652109
MD5 hash:
090d2c6c392af6688e3f4c13069764a8
SHA1 hash:
0caec60eb68f108868805d426cfa8693f5c4e36f
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
SH256 hash:
5564917454238120124cbf40dc0bb4c0cf6d2ac556df98cfbab50f63b1f45e1b
MD5 hash:
6e80509d2f183ca2ec88248c8e69bf42
SHA1 hash:
5a8755924f95709c78ffd51fc2dd1334c8614b6e
SH256 hash:
0ffe8af65c2a3ae624be5c133e00a386469678f5630934dace0455866c81dad2
MD5 hash:
438b63a2c1f57ca9e4256cb10d9ac7fb
SHA1 hash:
3eabd35111d92560b210c83a192beaaca174c129
SH256 hash:
7e41b212ab73b0c25ed7f00a023703d4bfb5c4f0182857bd2c8b11a26e437591
MD5 hash:
6652ebc17b68c3bea4cf8e5bc6a713eb
SHA1 hash:
a421bffe24bee2b9eb9a994aa8ceedafbbc278d7
SH256 hash:
cf068cfb6e58abd2e2ffae06b6a44856a51be850419f5feb1474df306124a487
MD5 hash:
7866a423d6854e07cd928940f32cf29e
SHA1 hash:
e394566fde3341c269572d6197fd49e0c2e9dee7
SH256 hash:
78e9e8c1d9c6e8e8b298812fbe18755dfa429d94e616aaed08cda42b5985f345
MD5 hash:
c658b6942919f0ac3548940b5321ee64
SHA1 hash:
47aca6763fbedeedd7c02f63c57e3d293aa69da7
SH256 hash:
fa4cfc21b069a8577c0eefa4b7869cdf8389ad061992efc91b908031ef1990fb
MD5 hash:
7c51e6fea3ca8f884cbd8017d02913b7
SHA1 hash:
2087c09b2a331131cff1b1e77e41eb8616465725
SH256 hash:
1316fdff6e309c5fc5a90bed2e25cf96c1581fc9fa72157fd28d9dbb15ce4ba4
MD5 hash:
79b3d2297d66a3adbaf4221645fec748
SHA1 hash:
0b458c0795e6b7fb8becf4dc6848a200c0fa846e
SH256 hash:
0063b80315ee40172ad671a0ffc408f27fe56d716749cc996b271601fd0a2a2c
MD5 hash:
55694841ce219e189883689911ee9291
SHA1 hash:
4b42db8af96b19c890fb47d494983da9dbff6090
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.