MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
SHA3-384 hash: 0a7bad1305b0ea94d30eec93bb79fb1acc0f62a4520b903f95f334805e382233a4c390aa353c5057d3a237254802f335
SHA1 hash: c468057a1c7d45fcda77b3a2d73d66097cab3761
MD5 hash: a5ede982bb74d31f5990bf77046bdd92
humanhash: william-kansas-hot-burger
File name:win_setup__6218604fb60ef.exe
Download: download sample
Signature Socelars
Create hunting rule
File size:6'092'139 bytes
First seen:2022-02-25 05:25:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c05041e01f84e1ccca9c4451f3b6a383 (141 x RedLineStealer, 101 x GuLoader, 64 x DiamondFox)
ssdeep 98304:Jz2PkWm/qRX+5Q0Q/Q4wEwNzAxgc3MKyngU+RgDkbpNv1JpWCzZnK81IEOHPvRLX:Jz2PkWmCRX+5Q026N8xgcc9b+hNv1JMf
Threatray 6'031 similar samples on MalwareBazaar
TLSH T14E5633F76DD8C2A7D5F1173D76298232BAFDF05841A83A17E31043BE68408294979EED
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter adm1n_usa32
Tags:exe Smoke Loader Socelars

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
win_setup__6218604fb60ef.exe
Verdict:
Malicious activity
Analysis date:
2022-02-25 05:15:09 UTC
Tags:
trojan evasion loader opendir stealer arkei vidar
Link:
https://app.any.run/tasks/6386231c-80d2-46e8-ab94-2af8dcc5b2bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLInjector03
Create hunting rule
Link:
https://www.capesandbox.com/analysis/244596/
Detection(s):
Win.Dropper.Pswtool-9857488-0
Create hunting rule

Win.Packed.Barys-9859531-0
Create hunting rule

Win.Packed.Jaik-9862233-0
Create hunting rule

Win.Packed.Jaik-9863991-0
Create hunting rule

Win.Trojan.Jaik-9869659-0
Create hunting rule

Win.Trojan.Jaik-9873403-0
Create hunting rule

Win.Packed.Tiny-9901377-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Launching a process
Using the Windows Management Instrumentation requests
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/7375/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62186870b94fb38cb4025a2a/reports/9c2df64a-5da7-48ef-91bc-a1e37b05bba7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3af17267-5e7b-4e53-a067-463eff5145b1
Result
Threat name:
RedLine SmokeLoader Socelars gzRat onlyL
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946184
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected gzRat
Yara detected onlyLogger
Yara detected RedLine Stealer
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 578663 Sample: win_setup__6218604fb60ef.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 100 63 80.71.158.145 PARKNET-ASDK unknown 2->63 65 ip-api.com 208.95.112.1, 49759, 80 TUT-ASUS United States 2->65 67 6 other IPs or domains 2->67 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Multi AV Scanner detection for domain / URL 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 19 other signatures 2->83 11 win_setup__6218604fb60ef.exe 10 2->11         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\setup_installer.exe, PE32 11->49 dropped 14 setup_installer.exe 20 11->14         started        process6 file7 51 C:\Users\user\AppData\...\setup_install.exe, PE32 14->51 dropped 53 C:\Users\...\621860490bbfe_Fri0445b5c85.exe, PE32 14->53 dropped 55 C:\Users\...\621860480cdfc_Fri04cb4b4877.exe, PE32 14->55 dropped 57 15 other files (9 malicious) 14->57 dropped 17 setup_install.exe 1 14->17         started        process8 signatures9 75 Adds a directory exclusion to Windows Defender 17->75 20 cmd.exe 1 17->20         started        22 cmd.exe 1 17->22         started        24 cmd.exe 1 17->24         started        26 8 other processes 17->26 process10 signatures11 29 62185ffbae79b_Fri043cb3b4.exe 15 4 20->29         started        34 62185ffab3d6d_Fri043a68954.exe 1 22->34         started        36 62185ffc75a3e_Fri04514be599.exe 2 24->36         started        85 Adds a directory exclusion to Windows Defender 26->85 87 Disables Windows Defender (via service or powershell) 26->87 38 621860416cda7_Fri04579674f2.exe 26->38         started        40 62185ffe06008_Fri040b61a0f30.exe 26->40         started        42 621860403ceeb_Fri0462297e06ae.exe 26->42         started        44 3 other processes 26->44 process12 dnsIp13 69 toptechnewsinc.com 104.21.34.48, 49758, 80 CLOUDFLARENETUS United States 29->69 59 cb0c8759-dbf8-4685-a918-65c61fa2967b.exe, PE32 29->59 dropped 91 Antivirus detection for dropped file 29->91 93 Multi AV Scanner detection for dropped file 29->93 95 Detected unpacking (changes PE section rights) 29->95 97 Detected unpacking (overwrites its own PE header) 29->97 99 Machine Learning detection for dropped file 34->99 101 Disables Windows Defender (via service or powershell) 34->101 46 cmd.exe 34->46         started        103 Sample uses process hollowing technique 36->103 105 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 38->105 107 Maps a DLL or memory area into another process 38->107 109 Checks if the current machine is a virtual machine (disk enumeration) 38->109 71 iplogger.org 148.251.234.83, 443, 49760 HETZNER-ASDE Germany 40->71 73 www.icodeps.com 149.28.253.196, 443, 49757 AS-CHOOPAUS United States 40->73 111 May check the online IP address of the machine 40->111 61 C:\...\621860403ceeb_Fri0462297e06ae.tmp, PE32 42->61 dropped 113 Obfuscated command line found 42->113 file14 signatures15 process16 signatures17 89 Disables Windows Defender (via service or powershell) 46->89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 05:27:33 UTC
File Type:
PE (Exe)
Extracted files:
392
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
Socelars
6059bdd4738c812b60b43a1e0ade3099cfad2dfd306e8fa41c30484a9830d38b
Socelars
74c2576ed018b452120e3b82ff97b560754bc7d948e8aa81d3b0b35954411b91
Socelars
7ffeae85c9e4be6675aa85f9fb8883c9a41960de2f7437be9e41288682329b3c
Socelars
c5061cf2961513f91ee1b2c0f50bf8a11928ac068b02ba825b3b0410de507224
Socelars
d23c6e45bb29e2aba8b63bcd30e7aa86b5069d26c4e4441c1224a524a90fc67a
Socelars
fe6f9b44e20c4b49f5d0d57e0986627269ed6570e179cfd515ad1bf27cfb4f6f
Socelars
+ 6'021 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:icedid family:onlylogger family:redline family:smokeloader family:socelars botnet:media24222 campaign:2715004312 aspackv2 backdoor banker discovery infostealer loader spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220225-f4wchagbgm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
ASPack v2.12-2.42
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
IcedID First Stage Loader
OnlyLogger Payload
IcedID, BokBot
OnlyLogger
Process spawned unexpected child process
RedLine
RedLine Payload
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/IcedID Request Cookie
Malware Config
C2 Extraction:
https://frertge.s3.eu-west-2.amazonaws.com/asdhbf/
http://pjure.at/upload/
http://puffersweiven.com/upload/
http://algrcabel.ru/upload/
http://pelangiqq99.com/upload/
http://elsaunny.com/upload/
http://korphoto.com/upload/
http://hangxachtaythodoan.com/upload/
http://pkodev.net/upload/
http://go-piratia.ru/upload/
http://piratia.su/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
92.255.57.154:11841
badgoodreason.com
Unpacked files
SH256 hash:
7ce780809c834eadfd03cd9f19245ef3b258d63d712d84afc2b017e01288abb1
MD5 hash:
ab4e365cadf97f131d3f2a9e560c2c96
SHA1 hash:
bdcd0732b2e13ad89ec90e72e19d33dd68912008
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
a7e37f5314834b163fa21557e61c13c0f202fd64d3c0e46e6c90d2d02e033aec
MD5 hash:
6faec01bf7a3d7f5c5dee2e6e3143a58
SHA1 hash:
603a36f817cab5574e58ab279379e5c112e5fb37
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
e718a2f50e72d94ee2c9455603d98f67e7705aefc283351c182b5e503d59f6d8
MD5 hash:
5264c8567cf762e7cd37971a88b28a45
SHA1 hash:
ffd23a453665086713bbeccf0029c5b026d4c47e
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
ad56593ae333a96e9b606d4bf8138fed2ed60645cafca73c17bf47a26bfcb468
MD5 hash:
1373e1409ea97073e6d0bfc010222d3b
SHA1 hash:
f535f95ec8443cf3099746a580e680e9b72e34b9
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
b01a013d362a26756b1f2f839130261385514f4d38b3db9052689e29cd53c0b9
MD5 hash:
7111fcfae8f5d7197149ae83d8f30aab
SHA1 hash:
e985c1eeda48abd371a27bdb6b6bc31e8a875c6a
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
b124d5accabbca60e8b5797dcac193ede1285ae9c823ad114aec5b2f030fb3c2
MD5 hash:
fb5e9be94a589a406d2752272626bb74
SHA1 hash:
658c91d38f9b536493dd7324b8d8d113e8e27fa0
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
cf55d8369b08fe8a6a5a456d4fd4947105b4a6256cecae3b2135f227e880a823
MD5 hash:
73e7527fe41be69d045e4ac102d48590
SHA1 hash:
623ffbba25ef33ce747f620090e3c92cd0a319d2
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
367031a3c0fa801c6811ce863b42bbe4f553032eb2c01c2a0825790ca8db474d
MD5 hash:
dd9c634933b0d2318977daa71cd370c4
SHA1 hash:
474a2b768ae9b899c9684c55c6d2ca20033798fa
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
abca3ef4971ea9cf196e429902da91fb3f0db2b502ed8dbe33bee639bb4d0b2c
MD5 hash:
e63b0af4990bdfb854b09570164175e1
SHA1 hash:
2363fd653143e88f92e8bc388d7cc5ed28e66ac2
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
e1cc6a9d780602fe6e789bf5c3a27e87e197a4e3bf7c8138ea2f9dfec70fb963
MD5 hash:
f707252b9c9579677fffb013e0cfc646
SHA1 hash:
8ab483023fa8773afb8c13464c39c5b8e687f126
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
MD5 hash:
83b531c1515044f8241cd9627fbfbe86
SHA1 hash:
d2f7096e18531abb963fc9af7ecc543641570ac8
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
245a869dc8a9bcb2190b5da3ea234740d79798385784e8db7aa3f2d2745192aa
MD5 hash:
4f93004835598b36011104e6f25dbdba
SHA1 hash:
6cb45092356c54f68d26f959e4a05ce80ef28483
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
e16f68152fa7be7dd8aff55aeff59ddeae48b4b95e3d3ba33016f65e632a6706
MD5 hash:
a8e7034f8220f722f4aca2edcc9c42eb
SHA1 hash:
656d7d88fffd3820deb1741564807990c3851114
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
721d393191597d49d856baef2fbde75e48f52d0465e2cfabf1a41848b0e05589
MD5 hash:
b984a027c8a2abf874f3eb306a831613
SHA1 hash:
d3b3f8890adc840b0bd411cf304eef15d415ed48
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
Parent samples :
fb9b41efdc7c2d9e8cfda4be223831a9d2f4d21366759da64e04bbbb9e662766
bc9d49f4f0d51c57b34515616d5e6a23a37fec03f8884d8305db0806bd6138fc
ecb96fec4db4a1eecef04c8ef12b260bb419407111c1263664749481b7fa5387
98c920233869ce802fb4722f982fc1a8c2461e2a01ea4a619a9532a660acf285
2fde1682e006e27b2deb49595ab3baf37a836577fbe9efdfae59d4b6b682d8b7
2374069183727dd5904a26027c80032f30dcff60d25019578876c0b37fa9c224
bd3030832602591f05fe01ef11feaa3b9fe776b2a184eb454f02cae3ab73340b
a0f15f4665835bb7f3b07d5e96d2b08af8e88614c9b22fc9fff86f4f60ee1a8e
c91dec1cd5b97079481c76d5d597dde67b60c301ea900eab7db99776d52b465a
SH256 hash:
ec6a72f15a507471cd5cf23558f77a093c50ed32fa0a39e49b7f1e57103ce3cd
MD5 hash:
da37b1a31bb57b342e25ed3789a450f4
SHA1 hash:
94da7151aced72e059ecec1aee66cac8bfcfd4d4
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
e60dd66376613a74a1f5afcb522c236f44b36b9969235b3325803435d94fde91
MD5 hash:
4418cdc94caf6baee4590b4e7aebc26c
SHA1 hash:
be5d8d0ddf2192a5f8982833afe74f975994fa19
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
fda6bae2c10220c03f96733597995ac2df05d3e231affb7b7821471a6e82d4e6
MD5 hash:
323d57c4f6f1b2563942ad97a5dccb9a
SHA1 hash:
7c90956b431696128e3c6ac64913512440331d90
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
9017c1c25c9bd10c717dee0455dbbc7c46aa239ccff220552fbd62fcc27754f0
MD5 hash:
14a65ffab4001bab84c51042eadb2731
SHA1 hash:
6dac503dbed063e8849092eca7fe1729db2470b5
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
24c0d847babfe0779ae2bd1bd2b57d983aae2d9ffc5f92be1cea9fc60b4c3b41
MD5 hash:
01cdc1228c379831326e86d5b10bf05d
SHA1 hash:
88adf0036ba6644796c7808f2a9b3e8c6e73c7ab
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
a2dd880bb3ac938978af89836aa916dba06e9f97e15a27f85bc818fd777cd827
MD5 hash:
5460238d0d5fbcf013afd77d1410cfdd
SHA1 hash:
42dc839eb412b9ef359fd52dbec92a4655a712f0
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
SH256 hash:
7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813
MD5 hash:
a5ede982bb74d31f5990bf77046bdd92
SHA1 hash:
c468057a1c7d45fcda77b3a2d73d66097cab3761
Link:
https://www.unpac.me/results/0a340331-9873-4779-9c71-34bc0c31f588/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe 7ba745d20db94b41924bd88906cbc2e813c95c586232b5659ad0679a3cac2813

(this sample)

anyrun
any.run
https://app.any.run/tasks/6386231c-80d2-46e8-ab94-2af8dcc5b2bb
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/244596/

Comments