SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars

Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b56fc 33c9 8b5ffc 85d2 0f94c1 33c0 85db }
            // n = 7, score = 100
            //   8b56fc               | mov                 edx, dword ptr [esi - 4]
            //   33c9                 | xor                 ecx, ecx
            //   8b5ffc               | mov                 ebx, dword ptr [edi - 4]
            //   85d2                 | test                edx, edx
            //   0f94c1               | sete                cl
            //   33c0                 | xor                 eax, eax
            //   85db                 | test                ebx, ebx

        $sequence_1 = { 89548808 c744880c00000000 c744881000000000 85d2 7441 8a4713 8844244f }
            // n = 7, score = 100
            //   89548808             | mov                 dword ptr [eax + ecx*4 + 8], edx
            //   c744880c00000000     | mov                 dword ptr [eax + ecx*4 + 0xc], 0
            //   c744881000000000     | mov                 dword ptr [eax + ecx*4 + 0x10], 0
            //   85d2                 | test                edx, edx
            //   7441                 | je                  0x43
            //   8a4713               | mov                 al, byte ptr [edi + 0x13]
            //   8844244f             | mov                 byte ptr [esp + 0x4f], al

        $sequence_2 = { eb09 51 e8???????? 83c404 837c242800 0f8580e9ffff 8b54241c }
            // n = 7, score = 100
            //   eb09                 | jmp                 0xb
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   837c242800           | cmp                 dword ptr [esp + 0x28], 0
            //   0f8580e9ffff         | jne                 0xffffe986
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]

        $sequence_3 = { c1e903 8b55f4 0fb6040a 8b4dfc 83e107 ba01000000 d3e2 }
            // n = 7, score = 100
            //   c1e903               | shr                 ecx, 3
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   0fb6040a             | movzx               eax, byte ptr [edx + ecx]
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83e107               | and                 ecx, 7
            //   ba01000000           | mov                 edx, 1
            //   d3e2                 | shl                 edx, cl

        $sequence_4 = { 8a44242b 3c09 7414 3c07 7410 8b4c2410 8b4178 }
            // n = 7, score = 100
            //   8a44242b             | mov                 al, byte ptr [esp + 0x2b]
            //   3c09                 | cmp                 al, 9
            //   7414                 | je                  0x16
            //   3c07                 | cmp                 al, 7
            //   7410                 | je                  0x12
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8b4178               | mov                 eax, dword ptr [ecx + 0x78]

        $sequence_5 = { 8d459c c7459c01000000 894580 8bd3 668b4508 8975b4 c745d4ffffffff }
            // n = 7, score = 100
            //   8d459c               | lea                 eax, [ebp - 0x64]
            //   c7459c01000000       | mov                 dword ptr [ebp - 0x64], 1
            //   894580               | mov                 dword ptr [ebp - 0x80], eax
            //   8bd3                 | mov                 edx, ebx
            //   668b4508             | mov                 ax, word ptr [ebp + 8]
            //   8975b4               | mov                 dword ptr [ebp - 0x4c], esi
            //   c745d4ffffffff       | mov                 dword ptr [ebp - 0x2c], 0xffffffff

        $sequence_6 = { 8b44241c 8d048504000000 2bc8 8b8788000000 8901 5f 5e }
            // n = 7, score = 100
            //   8b44241c             | mov                 eax, dword ptr [esp + 0x1c]
            //   8d048504000000       | lea                 eax, [eax*4 + 4]
            //   2bc8                 | sub                 ecx, eax
            //   8b8788000000         | mov                 eax, dword ptr [edi + 0x88]
            //   8901                 | mov                 dword ptr [ecx], eax
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { b8???????? b9???????? 0f45c1 8987c8000000 8b45fc 85db 0f8469ffffff }
            // n = 7, score = 100
            //   b8????????           |                     
            //   b9????????           |                     
            //   0f45c1               | cmovne              eax, ecx
            //   8987c8000000         | mov                 dword ptr [edi + 0xc8], eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   85db                 | test                ebx, ebx
            //   0f8469ffffff         | je                  0xffffff6f

        $sequence_8 = { 8944242c 8b4204 8b00 89442418 85c9 7438 807e1402 }
            // n = 7, score = 100
            //   8944242c             | mov                 dword ptr [esp + 0x2c], eax
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   89442418             | mov                 dword ptr [esp + 0x18], eax
            //   85c9                 | test                ecx, ecx
            //   7438                 | je                  0x3a
            //   807e1402             | cmp                 byte ptr [esi + 0x14], 2

        $sequence_9 = { 8b0e ff7608 52 8bd7 e8???????? 83c40c 85c0 }
            // n = 7, score = 100
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   ff7608               | push                dword ptr [esi + 8]
            //   52                   | push                edx
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules