MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socelars


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0
SHA3-384 hash: cb93f62b1cba5fd1d9f93673a3061ccf7e17ab06c6ab0d0e5076e9b860978b43f32b7837054c11d80151b29212cefe0c
SHA1 hash: 7d0498ad287929a7ca0fd15ab22c6ac866997309
MD5 hash: 181257a9a48b6d3ba1b58ca7cd857916
humanhash: oxygen-jersey-nevada-march
File name:181257a9a48b6d3ba1b58ca7cd857916
Download: download sample
Signature Socelars
Create hunting rule
File size:19'437'568 bytes
First seen:2022-03-28 19:43:27 UTC
Last seen:2022-03-28 20:48:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 393216:qVu9Ff7LOAs4JvFdy3EUzhZYAlXsYKOqQO4t1:Q+f7L9JXsdZYAlXsNQp
Threatray 10'697 similar samples on MalwareBazaar
TLSH T1B417017721511CEC79768F1EFCB8E66BE905A96B5E10D85CC047C362AC91392CE2C1BE
Reporter zbetcheckin
Tags:32 exe Smoke Loader Socelars

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.43.10664.16065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for analyzing tools
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Sending an HTTP GET request
Creating a file in the %AppData% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed
Link:
https://www.filescan.io/uploads/624210061f2042394844aeb0/reports/1070e483-5cf9-459d-b22e-9f14b8b2f83f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Socelars
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/317b4b07-889f-4972-a0da-498eef3f2b6e
Result
Threat name:
Nitol Socelars
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/966176
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates HTML files with .exe extension (expired dropper behavior)
Creates processes via WMI
Detected VMProtect packer
Drops PE files to the document folder of the user
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Nitol
Yara detected Socelars
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 598667 Sample: ZrOWFDB56t Startdate: 28/03/2022 Architecture: WINDOWS Score: 100 61 104.208.16.94 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->61 63 20.189.173.20 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 2->63 65 10 other IPs or domains 2->65 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 15 other signatures 2->85 8 ZrOWFDB56t.exe 18 2->8         started        11 rundll32.exe 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\tvstream22.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\siww1049.exe, PE32+ 8->41 dropped 43 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 8->43 dropped 45 14 other files (11 malicious) 8->45 dropped 13 TrdngAnlzr98262.exe 8 8->13         started        18 pub1.exe 8->18         started        20 note6060.exe 6 8->20         started        24 3 other processes 8->24 22 rundll32.exe 11->22         started        process6 dnsIp7 71 50.116.86.44 UNIFIEDLAYER-AS-1US United States 13->71 73 8.8.8.8 GOOGLEUS United States 13->73 75 5.101.153.227 BEGET-ASRU Russian Federation 13->75 51 C:\Users\user\AppData\...behaviorgraphAIMDDJ503IALB8.exe, PE32+ 13->51 dropped 53 C:\Users\user\AppData\Local\Temp\2A10G.exe, PE32 13->53 dropped 55 C:\Users\user\AppData\Local\Temp\0E340.exe, PE32 13->55 dropped 99 Multi AV Scanner detection for dropped file 13->99 101 Creates HTML files with .exe extension (expired dropper behavior) 13->101 117 2 other signatures 13->117 26 0E340.exe 13->26         started        31 2A10G.exe 13->31         started        33 conhost.exe 13->33         started        103 Query firmware table information (likely to detect VMs) 18->103 105 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->105 107 Machine Learning detection for dropped file 18->107 119 4 other signatures 18->119 35 explorer.exe 18->35 injected 77 152.32.193.91 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK Hong Kong 20->77 57 C:\Users\user\Documents\...\note6060.exe, PE32 20->57 dropped 109 Drops PE files to the document folder of the user 20->109 121 2 other signatures 20->121 123 8 other signatures 22->123 59 C:\Users\user\AppData\Local\...\setup.tmp, PE32 24->59 dropped 111 Antivirus detection for dropped file 24->111 113 Obfuscated command line found 24->113 115 Creates processes via WMI 24->115 37 hzhang.exe 2 24->37         started        file8 signatures9 process10 dnsIp11 67 5.255.255.55 YANDEXRU Russian Federation 26->67 47 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 26->47 dropped 87 Antivirus detection for dropped file 26->87 89 Multi AV Scanner detection for dropped file 26->89 91 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->91 93 Machine Learning detection for dropped file 26->93 95 Tries to evade debugger and weak emulator (self modifying code) 31->95 97 Hides threads from debuggers 31->97 69 172.67.188.70 CLOUDFLARENETUS United States 37->69 49 C:\Users\user\AppData\Local\Temp\db.dll, PE32 37->49 dropped file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2022-03-28 18:38:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
27 of 42 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
38066ee9fea009a8a6c2575e1a05fadd49a2cfe205dd8a6604eea85f5c7a42bd
Socelars
415cef68482c74fcfff231fafc63bf9835c72da00e826e753aac86f704db7ac8
Socelars
55560b608e7a7515329d395c72dc9cebc5cdd7b4c0f153d6e02eb74c2a609feb
Socelars
67e030c1c7dd08138eb1d6a12a4d652c4a304f22db556afce411c32a23bddf23
Socelars
800175a19a10dae3a8acbbfec1291416b5babb144cbedd017c5a75c816687381
Socelars
991d4dc612ff80ab2506510dba31531db995fe3f64318fbffd4e327d77b36c3f
Socelars
fea660657f6285124e61fe5dcafe9374344d941e6fbeaa89f3a2640572ccc784
Socelars
+ 10'687 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader family:socelars family:xmrig backdoor discovery evasion miner persistence spyware stealer trojan upx vmprotect
Link:
https://tria.ge/reports/220328-yfs7caebg9/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Kills process with taskkill
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
VMProtect packed file
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner Payload
Process spawned unexpected child process
SmokeLoader
Socelars
Socelars Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
https://sa-us-bucket.s3.us-east-2.amazonaws.com/jhvre24/
http://moonlightly.xyz/
http://aerostraphen.xyz/
Unpacked files
SH256 hash:
c3694bc3c3264d8bfa8720a3a6c2e9d781f77f510452f605f8c0b4e034aceea0
MD5 hash:
a8f66eaf4fd2a5923f20629d2493d914
SHA1 hash:
8c940fa19ca8c6f3eebbb5424b4f29834a71c9af
Link:
https://www.unpac.me/results/f51649e5-03a0-4502-95c8-438e5a3d9f55/
SH256 hash:
0d8abb4e64d10c08d1accc745467a58c43fbcd330cf920232b08c2fce39868d7
MD5 hash:
453560a9d19ffdb437029a2c32036aa5
SHA1 hash:
39f44cf7644c54805004309839775b1290f96d59
Link:
https://www.unpac.me/results/f51649e5-03a0-4502-95c8-438e5a3d9f55/
SH256 hash:
571e5b28b50ff2e98a7e60ccc1ad1231996bd3ce027056835fba745ee14f7690
MD5 hash:
a6cca19b551b219c3ec54546c25acdde
SHA1 hash:
1e22342041b23f1d29afe204f15c12bdd4617f10
Link:
https://www.unpac.me/results/f51649e5-03a0-4502-95c8-438e5a3d9f55/
SH256 hash:
f2311ab3f65b7aa6ec4ec37be9836ebfe335e10e143d942aeeb8beda822dc686
MD5 hash:
47c3671caabeda36b0f5c0789b208804
SHA1 hash:
91e41135df007ff4b46535f38fbfb3739733842e
Link:
https://www.unpac.me/results/f51649e5-03a0-4502-95c8-438e5a3d9f55/
SH256 hash:
dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0
MD5 hash:
181257a9a48b6d3ba1b58ca7cd857916
SHA1 hash:
7d0498ad287929a7ca0fd15ab22c6ac866997309
Link:
https://www.unpac.me/results/f51649e5-03a0-4502-95c8-438e5a3d9f55/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dca84ac7fbc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socelars

Executable exe dca84ac7fbc6543a8ff0d1bca89362221b2eb91a3004c6feda2f1a50a85d19d0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2117698/

Comments


Avatar
zbet commented on 2022-03-28 19:43:36 UTC

url : hxxps://wetuspost.xyz/fixtool.exe