MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
SHA3-384 hash: a4abf9c6a8421284e366cf979e7387c573e99a6f0b16b389b1fa23cebed2db8ea2ce3049885fe7dc192b9f52638f3705
SHA1 hash: 15943666568f09c0751b027a42413851df2c6932
MD5 hash: 0af3484ed04ac95e8a84d3b06c4180c0
humanhash: magnesium-vegan-freddie-queen
File name:file
Download: download sample
Signature Socelars
Create hunting rule
File size:773'255 bytes
First seen:2023-04-10 14:40:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'447 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:VQi3oc6m6UR0Itlp1hf39Wkv8xwJld8kO:VQi4zHITpdUMkkO
Threatray 293 similar samples on MalwareBazaar
TLSH T19EF41226F689D432D0615A749E72D0B05B33BE382D76660636CC7F9F3F772A1A1047A2
TrID 78.6% (.EXE) Inno Setup installer (109740/4/30)
10.1% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
2.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter jstrosch
Tags:exe Socelars

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-10 14:41:01 UTC
Tags:
opendir loader evasion smoke trojan
Link:
https://app.any.run/tasks/e0aab3ac-0762-44b0-a550-ae5a377a3dc2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381221/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process with a hidden window
Sending a custom TCP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Searching for synchronization primitives
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Running batch commands
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77237/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/64342007c41e8bc6a3b0b7fe/reports/5abaef12-4764-45af-a0d3-2fff348b6972/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e70c4ca7-3aef-4af8-95a6-93a52b1ca44b
Result
Threat name:
Fabookie, Nymaim, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1211146
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 844062 Sample: file.exe Startdate: 10/04/2023 Architecture: WINDOWS Score: 100 93 45.12.253.72 CMCSUS Germany 2->93 95 45.12.253.75 CMCSUS Germany 2->95 97 5 other IPs or domains 2->97 129 Snort IDS alert for network traffic 2->129 131 Multi AV Scanner detection for domain / URL 2->131 133 Malicious sample detected (through community Yara rule) 2->133 135 15 other signatures 2->135 12 file.exe 2 2->12         started        16 ZHivikusixe.exe 15 19 2->16         started        19 ZHivikusixe.exe 2->19         started        signatures3 process4 dnsIp5 79 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 12->79 dropped 151 Obfuscated command line found 12->151 21 file.tmp 3 19 12->21         started        87 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49718, 49719 OnlineSASFR United Kingdom 16->87 89 uchiha.s3.pl-waw.scw.cloud 16->89 91 2 other IPs or domains 16->91 file6 signatures7 process8 dnsIp9 99 eu-central-2.wasabisys.com 154.49.215.13, 49701, 80 NETRIX-ASNetrixFR United States 21->99 101 s3.eu-central-2.wasabisys.com 21->101 63 C:\Users\user\AppData\Local\...\mA3iz.exe, PE32 21->63 dropped 65 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 21->65 dropped 67 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 21->67 dropped 69 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 21->69 dropped 25 mA3iz.exe 22 18 21->25         started        file10 process11 dnsIp12 103 connectini.net 37.230.138.123, 443, 49704, 49712 ROCKETTELECOM-ASRU Russian Federation 25->103 105 360devtracking.com 37.230.138.66, 49711, 49720, 80 ROCKETTELECOM-ASRU Russian Federation 25->105 107 9 other IPs or domains 25->107 71 C:\Users\user\AppData\...behaviorgraphyfalaryca.exe, PE32 25->71 dropped 73 C:\Program Files (x86)\...\ZHivikusixe.exe, PE32 25->73 dropped 75 C:\Users\user\...behaviorgraphyfalaryca.exe.config, XML 25->75 dropped 77 C:\...\ZHivikusixe.exe.config, XML 25->77 dropped 145 Multi AV Scanner detection for dropped file 25->145 147 May check the online IP address of the machine 25->147 149 Creates HTML files with .exe extension (expired dropper behavior) 25->149 30 Gyfalaryca.exe 14 11 25->30         started        file13 signatures14 process15 dnsIp16 119 iplogger.org 148.251.234.83, 443, 49724, 49733 HETZNER-ASDE Germany 30->119 121 google.com 142.251.36.206 GOOGLEUS United States 30->121 123 6 other IPs or domains 30->123 81 C:\Users\user\AppData\Local\...\handdiy_3.exe, PE32 30->81 dropped 83 C:\Users\user\AppData\Local\Temp\...\ss29.exe, PE32+ 30->83 dropped 85 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 30->85 dropped 125 Multi AV Scanner detection for dropped file 30->125 127 May check the online IP address of the machine 30->127 35 cmd.exe 30->35         started        37 cmd.exe 30->37         started        39 cmd.exe 30->39         started        file17 signatures18 process19 process20 41 gcleaner.exe 35->41         started        45 conhost.exe 35->45         started        47 ss29.exe 37->47         started        49 conhost.exe 37->49         started        51 handdiy_3.exe 39->51         started        53 conhost.exe 39->53         started        dnsIp21 109 45.12.253.56, 49731, 80 CMCSUS Germany 41->109 137 Detected unpacking (changes PE section rights) 41->137 139 Detected unpacking (overwrites its own PE header) 41->139 55 WerFault.exe 41->55         started        57 WerFault.exe 41->57         started        59 WerFault.exe 41->59         started        61 5 other processes 41->61 111 bz.bbbeioaag.com 103.100.211.218, 49728, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 47->111 141 Tries to harvest and steal browser information (history, passwords, etc) 47->141 113 www.ippfinfo.top 178.18.252.110, 443, 49732 INLINE-ASDE Germany 51->113 115 192.168.2.1 unknown unknown 51->115 117 iplogger.org 51->117 143 May check the online IP address of the machine 51->143 signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-04-07 22:57:03 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzk6pvjyfh6fzane334b2kdwvlvozhwmidxmy6lg4unlxkodrzya._file
Verdict:
malicious
Similar samples:
35f0970d4b7b24b2180d36be0cfc8a1678f071077d6d4e34b0461da55658eb43
Socelars
5531490b3951e8793cb6ee449f75d6fb0b5c1347d1197ccda7ff1b9b15cf9661
Socelars
5bd0f1a500c8eb22f267f4414a8187c5f77f3b02b66d5dc9f9f42c2ff1206b1e
Socelars
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
Socelars
93578a9c7067f5a2f64f200756d817d16fc4e021878ac768b3d5aa847c2af2e8
Socelars
a5a259c2d8f0eb4dde69a6d7131f86c36df3f5d75989f1c6888881cdf7bb6299
Socelars
ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
Socelars
f5302b9e1f7a2c2c69ce10c5975d4ceee06a7cec5a9b834fd63dece231838fe7
Socelars
+ 283 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:gcleaner family:socelars evasion loader persistence spyware stealer
Link:
https://tria.ge/reports/230410-r2e4aaac54/
Behaviour
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Checks for common network interception software
GCleaner
Socelars
Socelars payload
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/7d264151-7203-45f5-9ccf-ba579998bcf1/
SH256 hash:
e4dd51f3fd04b15ba2b31b69177d8823ea8157aff84e3ab9c170276d80cdc897
MD5 hash:
058c0a84dfe9396360faa5caba02d705
SHA1 hash:
6a82c9441156cc13b6905a281c3ccaf3ee70b681
Link:
https://www.unpac.me/results/7d264151-7203-45f5-9ccf-ba579998bcf1/
SH256 hash:
5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70
MD5 hash:
0af3484ed04ac95e8a84d3b06c4180c0
SHA1 hash:
15943666568f09c0751b027a42413851df2c6932
Link:
https://www.unpac.me/results/7d264151-7203-45f5-9ccf-ba579998bcf1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe 5655e7d53829fc5c81a4def81d2876aaeaec9ecc40eecc7966e51abba9c38e70

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/381221/

Comments