MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0
SHA3-384 hash: 83d560f15e30a7aa65e84b75f33bd9661d33fc4b47b45b3b1d9f48ab1d86000778960f2c9dfe105345fbf919d1e795df
SHA1 hash: f5d018049020d86a19a3d909d3d3abbd576ec080
MD5 hash: 3794abecb036d5e4da931ca90efd707c
humanhash: magnesium-high-twelve-december
File name:3794abecb036d5e4da931ca90efd707c.exe
Download: download sample
Signature Socelars
Create hunting rule
File size:165'376 bytes
First seen:2022-01-17 09:35:47 UTC
Last seen:2022-01-23 17:18:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a7ba06c87bade3693958d0e4d963b91 (1 x Socelars, 1 x GCleaner, 1 x DanaBot)
ssdeep 3072:J7YjURjAKoXGLjU73x6aYqjJOOhF7h16L+bDsJuvAh1WKP+so9kcYo7ZF:tYjs7WGLI78aY6vhl6LA4JuvAhzFcD
Threatray 1'711 similar samples on MalwareBazaar
TLSH T1E7F37D197AD0D0B2D672153138E0DBB1953DFD304B6059AB77422B3E6F302E25E65F2A
File icon (PE):PE icon
dhash icon 92aae8c8e8f2b29a (3 x RedLineStealer, 2 x GCleaner, 2 x PrivateLoader)
Reporter abuse_ch
Tags:exe Socelars

Intelligence

File Origin
# of uploads :
3
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3794abecb036d5e4da931ca90efd707c.exe
Verdict:
No threats detected
Analysis date:
2022-01-17 09:40:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3409e00c-69eb-4814-a0f1-b6f749a0e8bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219787/
Detection(s):
SecuriteInfo.com.Variant.Ser.Strictor.1558.6601.2491.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4441/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61e538880f8c757253c3d18f/reports/064c5747-63bd-452f-ae7c-d2c90e889a04/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Pioneer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5602a816-c596-4ceb-997e-500b0da5b532
Result
Threat name:
Cookie Stealer SmartSearch Installer Smo
Create hunting rule
Detection:
malicious
Classification:
rans.phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/921714
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Downloads files with wrong headers with respect to MIME Content-Type
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies Chrome's extension installation force list
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Cookie Stealer
Yara detected onlyLogger
Yara detected SmartSearch nstaller
Yara detected SmokeLoader
Yara detected Socelars
Yara detected WebBrowserPassView password recovery tool
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 554194 Sample: 9jAcMcVUHI.exe Startdate: 17/01/2022 Architecture: WINDOWS Score: 100 93 37.230.138.66 ROCKETTELECOM-ASRU Russian Federation 2->93 95 163.172.208.8 OnlineSASFR United Kingdom 2->95 97 5 other IPs or domains 2->97 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Multi AV Scanner detection for domain / URL 2->121 123 Antivirus detection for URL or domain 2->123 125 22 other signatures 2->125 8 9jAcMcVUHI.exe 4 41 2->8         started        signatures3 process4 dnsIp5 99 212.193.30.45, 49759, 80 SPD-NETTR Russian Federation 8->99 101 2.56.59.42, 49760, 49767, 49796 GBTCLOUDUS Netherlands 8->101 103 16 other IPs or domains 8->103 55 C:\Users\...\zuz8ZwfZieAjD1vAjVYiQr6h.exe, PE32 8->55 dropped 57 C:\Users\...\vO6wSIVAjtvnAuE5saNpV_J3.exe, PE32+ 8->57 dropped 59 C:\Users\...\ZtLYwDM0raxPXPYj2jCi8IBZ.exe, PE32 8->59 dropped 61 16 other files (12 malicious) 8->61 dropped 127 Detected unpacking (creates a PE file in dynamic memory) 8->127 129 May check the online IP address of the machine 8->129 131 Creates HTML files with .exe extension (expired dropper behavior) 8->131 133 Disable Windows Defender real time protection (registry) 8->133 13 DOZRslJnPmbrokvHvYHvZ8z0.exe 8->13         started        16 mtef9D4uLwq3r9yB9wBJCGY_.exe 26 8->16         started        20 vO6wSIVAjtvnAuE5saNpV_J3.exe 1 1 8->20         started        22 8 other processes 8->22 file6 signatures7 process8 dnsIp9 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->147 149 Maps a DLL or memory area into another process 13->149 151 Checks if the current machine is a virtual machine (disk enumeration) 13->151 153 Creates a thread in another existing process (thread injection) 13->153 24 explorer.exe 13->24 injected 79 194.135.33.149 ASBAXETNRU Russian Federation 16->79 81 37.220.10.229 IOMART-ASGB United Kingdom 16->81 83 47.88.26.184 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 16->83 39 C:\Users\user\AppData\...\58698249415.exe, PE32 16->39 dropped 41 C:\Users\user\AppData\...\24819060103.exe, PE32 16->41 dropped 43 C:\Users\user\AppData\Local\...\empty[1], PE32 16->43 dropped 53 3 other files (2 malicious) 16->53 dropped 85 ip-api.com 208.95.112.1, 49793, 80 TUT-ASUS United States 20->85 87 www.hhiuew33.com 45.136.151.102, 49809, 80 ENZUINC-US Latvia 20->87 45 C:\Users\user\AppData\Local\Temp\11111.exe, PE32 20->45 dropped 29 11111.exe 20->29         started        89 iplogger.org 148.251.234.83, 443, 49794 HETZNER-ASDE Germany 22->89 91 www.listincode.com 149.28.253.196, 443, 49792 AS-CHOOPAUS United States 22->91 47 C:\Users\...\pidHTSIGEi8DrAmaYu9K8ghN89.dll, PE32+ 22->47 dropped 49 C:\Users\...\ZtLYwDM0raxPXPYj2jCi8IBZ.tmp, PE32 22->49 dropped 51 C:\Users\user\AppData\Local\Temp\SutZB.cpl, PE32 22->51 dropped 155 Obfuscated command line found 22->155 157 Injects a PE file into a foreign processes 22->157 31 Rh3_tQioVomqI0zjCNkrn7_D.exe 22->31         started        33 9xDshPBA1mysBGe0bbamiAXL.exe 22->33         started        35 ZtLYwDM0raxPXPYj2jCi8IBZ.tmp 22->35         started        37 3 other processes 22->37 file10 signatures11 process12 dnsIp13 105 45.11.186.24 ASLINE-AS-APASLINELIMITEDHK Turkey 24->105 107 187.190.48.60 TOTALPLAYTELECOMUNICACIONESSADECVMX Mexico 24->107 117 5 other IPs or domains 24->117 63 C:\Users\user\AppData\Roaming\cdhswcv, PE32 24->63 dropped 65 C:\Users\user\AppData\Local\Temp\8CCE.exe, PE32 24->65 dropped 67 C:\Users\user\AppData\Local\Temp\315E.exe, PE32 24->67 dropped 135 System process connects to network (likely due to code injection or exploit) 24->135 137 Benign windows process drops PE files 24->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->139 141 Machine Learning detection for dropped file 29->141 143 Tries to harvest and steal browser information (history, passwords, etc) 29->143 145 Modifies Chrome's extension installation force list 31->145 109 s3.pl-waw.scw.cloud 151.115.10.1, 49798, 80 OnlineSASFR United Kingdom 35->109 111 onepiece.s3.pl-waw.scw.cloud 35->111 69 C:\Users\user\...\________djskjT76(((.exe, PE32 35->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\idp.dll, PE32 35->71 dropped 73 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 35->73 dropped 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 35->75 dropped 113 gp.gamebuy768.com 104.21.27.252, 443, 49795 CLOUDFLARENETUS United States 37->113 115 172.67.143.210, 443, 49799 CLOUDFLARENETUS United States 37->115 77 C:\Users\user\AppData\Local\Temp\sqlite.dll, PE32 37->77 dropped file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 08:28:09 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ys2pin4oem22wsxonvmqplx7tm6ym6f5egfm36xnl7j2s2okrpia._file
Verdict:
malicious
Similar samples:
03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4
Socelars
0ca57f85e88001edd67dff84428375de282f0f92e5bef2daed1c03ad2fa7612e
Socelars
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
Socelars
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
Socelars
3fdf21f7ad2430c552a8dc34c6fbaf82d95a0f44b9a7bd514d89ad3d074d345f
Socelars
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
Socelars
b1516cc28d0e6e3f77a8eadd2a7fda7daf746e0a7b27088e016519baf8de0338
Socelars
b2e7eea64a4e8e56b43cf70b5b383ce06b0d43757d143a95b31ea9c8db6ac5a2
Socelars
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391
Socelars
+ 1'701 additional samples on MalwareBazaar
Result
Malware family:
socelars
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars backdoor evasion spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220117-lkxn4shedk/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Looks up geolocation information via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Modifies Windows Defender Real-time Protection settings
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateProcessExOtherParentProcess
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
Malware Config
C2 Extraction:
http://www.kvubgc.com/
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Unpacked files
SH256 hash:
c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0
MD5 hash:
3794abecb036d5e4da931ca90efd707c
SHA1 hash:
f5d018049020d86a19a3d909d3d3abbd576ec080
Link:
https://www.unpac.me/results/28ef38aa-897c-4edd-b47e-0b85d96fc3ec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c4b4f4378e23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe c4b4f4378e2335ab4aee6d5907aeff9b3d8678bd218acdfaed5fd3a969ca8bd0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1799095/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/219787/
  
URLhaus
https://urlhaus.abuse.ch/url/1983335/

Comments