MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
SHA3-384 hash: e1f17d8afed008351394c38e2faeabd014c977913d4a855ba3aecff1bba09ea92a779afbf603e5d4da80891b6700b09d
SHA1 hash: 58da30ee843e7d5f51bdacca1ea495b84a7678fd
MD5 hash: 8786b658cc8531383511362b788f8f1c
humanhash: mike-blossom-carolina-september
File name:file
Download: download sample
Signature Socelars
Create hunting rule
File size:406'092 bytes
First seen:2023-03-07 15:02:25 UTC
Last seen:2023-03-07 18:01:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'511 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 12288:iQi3Qa6m6URA3PhNOZm2K7YOY5p2tpNnnTIg:iQiA5hhVFf4y3Tp
Threatray 197 similar samples on MalwareBazaar
TLSH T1DD842286E69A4479C070BF752E69CA128F373E281D767441B2BC9D5E5F3B180C50B3AB
TrID 75.1% (.EXE) Inno Setup installer (109740/4/30)
9.7% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon c366a6c0e9eccec6 (1 x Socelars)
Reporter andretavare5
Tags:exe Socelars


Avatar
andretavare5
Sample downloaded from https://s3.eu-west-2.wasabisys.com/theflabsspace/Flabs1.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-07 15:03:08 UTC
Tags:
installer evasion loader stealer
Link:
https://app.any.run/tasks/641452a5-491e-419e-90ff-e7421703d12f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372376/
Detection(s):
SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process with a hidden window
Connecting to a non-recommended domain
Sending an HTTP POST request
Creating a file in the Program Files subdirectories
Creating a file
Searching for synchronization primitives
Adding an access-denied ACE
Launching a process
Searching for the browser window
Using the Windows Management Instrumentation requests
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Setting a single autorun event
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6407522767ca02bce170b54a/reports/a3153aa2-ddf8-4f93-9da8-d8a5d7e6c20e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5257aa3a-1244-4999-ae3b-cc6f85073f9c
Result
Threat name:
Fabookie, Nymaim, Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1188683
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Detected VMProtect packer
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sets debug register (to hijack the execution of another thread)
Sigma detected: Powershell Download and Execute IEX
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Fabookie
Yara detected Generic Downloader
Yara detected Nymaim
Yara detected Socelars
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 821556 Sample: file.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 100 124 45.12.253.72 CMCSUS Germany 2->124 126 45.12.253.75 CMCSUS Germany 2->126 128 45.12.253.98 CMCSUS Germany 2->128 176 Snort IDS alert for network traffic 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 Antivirus detection for URL or domain 2->180 182 12 other signatures 2->182 13 file.exe 2 2->13         started        17 Xygirybote.exe 2->17         started        20 Xygirybote.exe 2->20         started        22 WmiPrvSE.exe 2->22         started        signatures3 process4 dnsIp5 114 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 13->114 dropped 208 Obfuscated command line found 13->208 24 file.tmp 3 19 13->24         started        28 WerFault.exe 13->28         started        30 WerFault.exe 13->30         started        32 3 other processes 13->32 118 s3.pl-waw.scw.cloud 151.115.10.1, 443, 49726, 49727 OnlineSASFR United Kingdom 17->118 120 uchiha.s3.pl-waw.scw.cloud 17->120 122 2 other IPs or domains 17->122 file6 signatures7 process8 dnsIp9 168 130.117.252.13, 443, 49697, 49699 BLUEARCHIVE-ZONE-1US United States 24->168 170 s3.eu-central-1.wasabisys.com 24->170 106 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 24->106 dropped 108 C:\Users\user\AppData\Local\...\Flabs1.exe, PE32 24->108 dropped 110 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 24->110 dropped 112 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->112 dropped 34 Flabs1.exe 22 18 24->34         started        file10 process11 dnsIp12 130 connectini.net 37.230.138.123, 443, 49700, 49708 ROCKETTELECOM-ASRU Russian Federation 34->130 132 360devtracking.com 37.230.138.66, 49707, 49732, 80 ROCKETTELECOM-ASRU Russian Federation 34->132 134 5 other IPs or domains 34->134 90 C:\Users\user\AppData\...\Lefahodenu.exe, PE32 34->90 dropped 92 C:\Users\user\AppData\...\Lomyzhixava.exe, PE32 34->92 dropped 94 C:\Program Files (x86)\...\Xygirybote.exe, PE32 34->94 dropped 96 3 other malicious files 34->96 dropped 184 Multi AV Scanner detection for dropped file 34->184 39 Lefahodenu.exe 14 15 34->39         started        44 Lomyzhixava.exe 14 17 34->44         started        file13 signatures14 process15 dnsIp16 158 iplogger.org 148.251.234.83, 443, 49737, 49743 HETZNER-ASDE Germany 39->158 160 google.com 142.250.184.238 GOOGLEUS United States 39->160 166 9 other IPs or domains 39->166 98 C:\Users\user\AppData\Local\...\sqlcmd.exe, PE32 39->98 dropped 100 C:\Users\user\AppData\Local\...\chenp.exe, PE32 39->100 dropped 102 C:\Users\user\AppData\Local\...\gcleaner.exe, PE32 39->102 dropped 104 2 other malicious files 39->104 dropped 186 Antivirus detection for dropped file 39->186 188 Multi AV Scanner detection for dropped file 39->188 190 Machine Learning detection for dropped file 39->190 192 Sets debug register (to hijack the execution of another thread) 39->192 46 cmd.exe 39->46         started        48 cmd.exe 39->48         started        50 cmd.exe 39->50         started        55 2 other processes 39->55 162 www.google.com 142.250.186.132, 443, 49709, 49719 GOOGLEUS United States 44->162 164 connectini.net 44->164 52 chrome.exe 44->52         started        file17 signatures18 process19 dnsIp20 57 pb1117.exe 46->57         started        60 conhost.exe 46->60         started        62 chenp.exe 48->62         started        64 conhost.exe 48->64         started        66 gcleaner.exe 50->66         started        69 conhost.exe 50->69         started        150 192.168.2.1 unknown unknown 52->150 152 239.255.255.250 unknown Reserved 52->152 71 chrome.exe 52->71         started        73 sqlcmd.exe 55->73         started        75 3 other processes 55->75 process21 dnsIp22 194 Antivirus detection for dropped file 57->194 196 Multi AV Scanner detection for dropped file 57->196 198 Machine Learning detection for dropped file 57->198 206 2 other signatures 57->206 200 Creates processes via WMI 62->200 77 chenp.exe 62->77         started        136 45.12.253.56 CMCSUS Germany 66->136 202 Detected unpacking (changes PE section rights) 66->202 204 Detected unpacking (overwrites its own PE header) 66->204 138 www.profitabletrustednetwork.com 173.233.137.60, 443, 49717, 49720 SERVERS-COMUS United States 71->138 140 clients.l.google.com 142.250.184.206, 443, 49714 GOOGLEUS United States 71->140 148 3 other IPs or domains 71->148 142 www.imagn.world 73->142 81 cmd.exe 73->81         started        144 www.ippfinfo.top 178.18.252.110, 443, 49747 INLINE-ASDE Germany 75->144 146 iplogger.org 75->146 83 WerFault.exe 75->83         started        signatures23 process24 dnsIp25 172 xv.yxzgamen.com 77->172 116 C:\Users\user\AppData\Local\Temp\db.dll, PE32 77->116 dropped 85 powershell.exe 81->85         started        88 conhost.exe 81->88         started        174 52.168.117.173 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 83->174 file26 process27 dnsIp28 154 195.123.225.188, 49761, 80 ITL-BG Bulgaria 85->154 156 www.imagn.world 85->156
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059/
Threat name:
Win32.Trojan.GCleaner
Create hunting rule
Status:
Malicious
First seen:
2023-03-02 12:49:43 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvh6dzanlpjotcauacvk6afuhk67z7flgvmhsi55sidh7i2nebmq._file
Verdict:
malicious
Similar samples:
1449e7a3111fdfb697c631367fcbc08eb0ab911bc280fd0c3d132cc3918d1da6
Socelars
6be048992227daa3e44558b5e8b342f3f153eb0ff535ab399f4cd4ae3e4345bb
Socelars
885e0a44035c45c8643139acac60e5f8ca2ada3218bda9691dcbd98602653703
Socelars
8b1813aef6ef673d4a0973bbf426857d251c21e71889376ba581652b5e56e4f3
Socelars
d026b0f1bfa1ea1bc142695477450d6bd4c10e6d7cdbff1d4e8abaad8f04b6c1
Socelars
ea40d05c81d27ac61843cabdbaf45a81347ae058d1229300313a17b6143f35e3
Socelars
f5302b9e1f7a2c2c69ce10c5975d4ceee06a7cec5a9b834fd63dece231838fe7
Socelars
+ 187 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:ffdroider family:gcleaner family:pseudomanuscrypt family:socelars evasion loader persistence spyware stealer vmprotect
Link:
https://tria.ge/reports/230307-se1xxaae63/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs ping.exe
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
VMProtect packed file
Blocklisted process makes network request
Downloads MZ/PE file
Drops file in Drivers directory
Checks for common network interception software
Detects PseudoManuscrypt payload
FFDroider
GCleaner
Process spawned unexpected child process
PseudoManuscrypt
Socelars
Socelars payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
45.12.253.56
45.12.253.72
45.12.253.98
45.12.253.75
https://hdbywe.s3.us-west-2.amazonaws.com/sadef33/
Dropper Extraction:
https://www.imagn.world/storage/debug2.ps1
Unpacked files
SH256 hash:
e427f8ef21691e3d8c2313d11129ad08ddef69a158eca2f77c170603478ff0c4
MD5 hash:
0dedd909aae9aa0a89b4422106310e9e
SHA1 hash:
271d36afa5b729ee590cf8066166ca5e9c9d0340
Link:
https://www.unpac.me/results/174ecf3f-94a5-47b2-89ef-d0c040b1dd29/
SH256 hash:
0e0ae679e4cee239b691cc5d8d839ebf38d5b87e1f936952b0f8ded33c2a591c
MD5 hash:
46eb2f96e010050b50e1972fd8280f2f
SHA1 hash:
9ce92cd098df59542352b3d68a62f92de1ce7fa9
Link:
https://www.unpac.me/results/174ecf3f-94a5-47b2-89ef-d0c040b1dd29/
SH256 hash:
ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059
MD5 hash:
8786b658cc8531383511362b788f8f1c
SHA1 hash:
58da30ee843e7d5f51bdacca1ea495b84a7678fd
Link:
https://www.unpac.me/results/174ecf3f-94a5-47b2-89ef-d0c040b1dd29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad4fe1e40d5bd2e9881400aaaf00b43abdfcfcab35587923bd92067fa34d2059

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/372376/
  
URLhaus
https://urlhaus.abuse.ch/url/2561814/

Comments