MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e
SHA3-384 hash: e0039b91a0890b460f36028c0735a90263c6a5cfa8463b8c6424399307d46ce78ceef7707b5c9bed2e8d4bdec7b5dede
SHA1 hash: 8f2ac32d76a060c4fcfe858958021fee362a9d1e
MD5 hash: 503a913a1c1f9ee1fd30251823beaf13
humanhash: monkey-jig-michigan-leopard
File name:503a913a1c1f9ee1fd30251823beaf13
Download: download sample
Signature Socelars
Create hunting rule
File size:394'752 bytes
First seen:2021-11-18 05:05:13 UTC
Last seen:2021-11-26 13:53:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9734ba8626408cec04bb8fa7d8bb6e83 (4 x PrivateLoader, 3 x GCleaner, 2 x RedLineStealer)
ssdeep 12288:X7ww87egHPRKA/oKRefRUGe0ISuPKq/wOBp/Bi:X7ww87NKA/lY60S/wOBlk
TLSH T1F8845A34E601F426F4F20435AC9DD7FA64286B30675558EFF3C54E69AAB16C2E230B27
Reporter zbetcheckin
Tags:32 exe Socelars

Intelligence

File Origin
# of uploads :
3
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://free4pc.org/bandicam-crack/
Verdict:
Malicious activity
Analysis date:
2021-11-15 03:15:10 UTC
Tags:
trojan evasion rat redline loader opendir stealer vidar raccoon
Link:
https://app.any.run/tasks/c99d32e1-4e47-4eea-acc7-089b9ace6452

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.31121.1007.28860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Reading critical registry keys
Creating a file in the %temp% directory
Creating a window
Connecting to a non-recommended domain
Running batch commands
Changing a file
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Blocking the Windows Defender launch
Query of malicious DNS domain
Unauthorized injection to a recently created process
Launching a tool to kill processes
Stealing user critical data
Sending a TCP request to an infection source
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware zusy
Link:
https://www.filescan.io/uploads/6195df3d43e8f62b66982bf8/reports/1bdfe638-a83f-4fd7-8874-fc41d9796cd0/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23cd0184-a363-4158-83b4-e74055bfc524
Result
Threat name:
Cookie Stealer SmokeLoader Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891704
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Disable Windows Defender real time protection (registry)
Drops PE files to the document folder of the user
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Cookie Stealer
Yara detected SmokeLoader
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524177 Sample: vd6dk7Pd2i Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 177 Antivirus detection for URL or domain 2->177 179 Antivirus detection for dropped file 2->179 181 Multi AV Scanner detection for dropped file 2->181 183 11 other signatures 2->183 10 vd6dk7Pd2i.exe 18 2->10         started        15 rundll32.exe 2->15         started        17 PowerControl_Svc.exe 2->17         started        process3 dnsIp4 165 149.154.167.99 TELEGRAMRU United Kingdom 10->165 167 212.193.30.21 SPD-NETTR Russian Federation 10->167 169 4 other IPs or domains 10->169 121 C:\Users\...\DPJzj05iQ4pTbY6LW1wF3LBJ.exe, PE32 10->121 dropped 123 C:\Users\user\AppData\...\Cube_WW14[1].bmp, PE32 10->123 dropped 125 C:\...\PowerControl_Svc.exe, PE32 10->125 dropped 127 C:\...\PowerControl_Svc.exe:Zone.Identifier, ASCII 10->127 dropped 207 Drops PE files to the document folder of the user 10->207 209 Uses schtasks.exe or at.exe to add and modify task schedules 10->209 19 DPJzj05iQ4pTbY6LW1wF3LBJ.exe 4 27 10->19         started        24 schtasks.exe 1 10->24         started        26 schtasks.exe 1 10->26         started        28 rundll32.exe 15->28         started        file5 signatures6 process7 dnsIp8 137 103.155.93.165 TWIDC-AS-APTWIDCLimitedHK unknown 19->137 139 5.9.164.117 HETZNER-ASDE Germany 19->139 141 5 other IPs or domains 19->141 87 C:\Users\...\obLfU71490IsNK4EcslMDWoh.exe, PE32 19->87 dropped 89 C:\Users\...\l4e2CNUTisfDsvm8IIq_GWXw.exe, PE32 19->89 dropped 91 C:\Users\...\0YzZbHN0wzu4cPuv7fM3jSrb.exe, PE32 19->91 dropped 93 7 other files (6 malicious) 19->93 dropped 185 Disable Windows Defender real time protection (registry) 19->185 30 0C4p7Xp9eR8UJAKhKeSDGSr8.exe 2 19->30         started        34 obLfU71490IsNK4EcslMDWoh.exe 19->34         started        36 l4e2CNUTisfDsvm8IIq_GWXw.exe 2 19->36         started        46 2 other processes 19->46 38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        187 Writes to foreign memory regions 28->187 189 Allocates memory in foreign processes 28->189 191 Creates a thread in another existing process (thread injection) 28->191 42 svchost.exe 28->42 injected 44 svchost.exe 28->44 injected 49 5 other processes 28->49 file9 signatures10 process11 dnsIp12 129 C:\Users\...\0C4p7Xp9eR8UJAKhKeSDGSr8.tmp, PE32 30->129 dropped 211 Obfuscated command line found 30->211 51 0C4p7Xp9eR8UJAKhKeSDGSr8.tmp 3 19 30->51         started        213 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 34->213 215 Maps a DLL or memory area into another process 34->215 217 Checks if the current machine is a virtual machine (disk enumeration) 34->217 219 Creates a thread in another existing process (thread injection) 34->219 55 explorer.exe 34->55 injected 58 l4e2CNUTisfDsvm8IIq_GWXw.exe 3 36->58         started        60 conhost.exe 36->60         started        62 svchost.exe 42->62         started        171 5.9.162.45 HETZNER-ASDE Germany 46->171 173 149.28.253.196 AS-CHOOPAUS United States 46->173 175 192.168.2.1 unknown unknown 46->175 131 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 46->131 dropped 64 WerFault.exe 46->64         started        file13 signatures14 process15 dnsIp16 143 66.29.140.147 ADVANTAGECOMUS United States 51->143 95 C:\Users\user\AppData\Local\...\lakazet.exe, PE32 51->95 dropped 109 3 other files (none is malicious) 51->109 dropped 66 lakazet.exe 51->66         started        145 198.252.110.227 LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG Canada 55->145 153 7 other IPs or domains 55->153 97 C:\Users\user\AppData\Roaming\cajifvu, PE32 55->97 dropped 99 C:\Users\user\AppData\Local\Temp\D087.exe, PE32 55->99 dropped 101 C:\Users\user\AppData\Local\Temp\B491.exe, PE32 55->101 dropped 111 2 other malicious files 55->111 dropped 193 System process connects to network (likely due to code injection or exploit) 55->193 195 Benign windows process drops PE files 55->195 197 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->197 147 172.67.219.219 CLOUDFLARENETUS United States 58->147 103 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 58->103 dropped 70 conhost.exe 58->70         started        149 208.95.112.1 TUT-ASUS United States 62->149 155 2 other IPs or domains 62->155 105 C:\Users\user\AppData\...\Login Data.tmp, SQLite 62->105 dropped 107 C:\Users\user\AppData\Local\...\Cookies.tmp, SQLite 62->107 dropped 199 Query firmware table information (likely to detect VMs) 62->199 201 Tries to harvest and steal browser information (history, passwords, etc) 62->201 151 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 64->151 file17 signatures18 process19 dnsIp20 133 162.255.117.78 NAMECHEAP-NETUS United States 66->133 135 162.0.210.44 ACPCA Canada 66->135 79 C:\Users\user\AppData\...79yqewesoxy.exe, PE32 66->79 dropped 81 C:\Users\user\AppData\...\Wuzhotudyshu.exe, PE32 66->81 dropped 83 C:\Program Files (x86)\...behaviorgraphutoxupola.exe, PE32 66->83 dropped 85 4 other files (3 malicious) 66->85 dropped 72 Nyqewesoxy.exe 66->72         started        77 Wuzhotudyshu.exe 66->77         started        file21 process22 dnsIp23 157 142.250.186.46 GOOGLEUS United States 72->157 159 35.205.61.67 GOOGLEUS United States 72->159 163 3 other IPs or domains 72->163 113 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 72->113 dropped 115 C:\Users\user\AppData\...\autosubplayer.exe, PE32 72->115 dropped 117 C:\Users\user\AppData\Local\...\BumperWW.exe, PE32 72->117 dropped 119 7 other files (none is malicious) 72->119 dropped 203 Antivirus detection for dropped file 72->203 205 Machine Learning detection for dropped file 72->205 161 142.250.185.132 GOOGLEUS United States 77->161 file24 signatures25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e/
Threat name:
Win32.Infostealer.Disbuk
Create hunting rule
Status:
Malicious
First seen:
2021-11-14 19:01:00 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:redline family:smokeloader family:socelars backdoor discovery evasion infostealer persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211118-fretzsbffm/
Behaviour
Download via BitsAdmin
Gathers network information
Gathers system information
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Checks for common network interception software
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Malware Config
C2 Extraction:
http://www.gianninidesign.com/
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Unpacked files
SH256 hash:
2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e
MD5 hash:
503a913a1c1f9ee1fd30251823beaf13
SHA1 hash:
8f2ac32d76a060c4fcfe858958021fee362a9d1e
Link:
https://www.unpac.me/results/4013182c-b74e-47f4-aaea-2f02b0c3c7d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector06
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe 2c18d41dff60fd0ef4bd2bc9f6346c6f6e0de229e872e05b30cd3e7918ca4e5e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1799006/
Cape
Cape
https://www.capesandbox.com/analysis/207089/

Comments


Avatar
zbet commented on 2021-11-18 05:05:14 UTC

url : hxxp://212.193.30.29/download/Service.bmp