Socelars is an infostealer with main focus on:* Facebook Stealer (ads/manager)* Cookie Stealer | AdsCreditCard {Amazon}
rule win_socelars_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2023-03-28" version = "1" description = "Detects win.socelars." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars" malpedia_rule_date = "20230328" malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d" malpedia_version = "20230407" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { e8???????? 83c404 90 8b8d34ffffff 51 e8???????? 83c404 } // n = 7, score = 100 // e8???????? | // 83c404 | add esp, 4 // 90 | nop // 8b8d34ffffff | mov ecx, dword ptr [ebp - 0xcc] // 51 | push ecx // e8???????? | // 83c404 | add esp, 4 $sequence_1 = { f6462810 0f8592030000 50 ff761c 8b742444 ba0e000000 8bce } // n = 7, score = 100 // f6462810 | test byte ptr [esi + 0x28], 0x10 // 0f8592030000 | jne 0x398 // 50 | push eax // ff761c | push dword ptr [esi + 0x1c] // 8b742444 | mov esi, dword ptr [esp + 0x44] // ba0e000000 | mov edx, 0xe // 8bce | mov ecx, esi $sequence_2 = { f6458504 7451 8b9574ffffff 85d2 7443 8b8d70ffffff 85c9 } // n = 7, score = 100 // f6458504 | test byte ptr [ebp - 0x7b], 4 // 7451 | je 0x53 // 8b9574ffffff | mov edx, dword ptr [ebp - 0x8c] // 85d2 | test edx, edx // 7443 | je 0x45 // 8b8d70ffffff | mov ecx, dword ptr [ebp - 0x90] // 85c9 | test ecx, ecx $sequence_3 = { f20f100e eb2e f6c204 740f 8b5604 8b0e e8???????? } // n = 7, score = 100 // f20f100e | movsd xmm1, qword ptr [esi] // eb2e | jmp 0x30 // f6c204 | test dl, 4 // 740f | je 0x11 // 8b5604 | mov edx, dword ptr [esi + 4] // 8b0e | mov ecx, dword ptr [esi] // e8???????? | $sequence_4 = { b8???????? eb05 8b4758 03c1 895008 ff06 8b07 } // n = 7, score = 100 // b8???????? | // eb05 | jmp 7 // 8b4758 | mov eax, dword ptr [edi + 0x58] // 03c1 | add eax, ecx // 895008 | mov dword ptr [eax + 8], edx // ff06 | inc dword ptr [esi] // 8b07 | mov eax, dword ptr [edi] $sequence_5 = { f77940 8bd0 8b5df8 8b4dec 03da 8b55f4 895df8 } // n = 7, score = 100 // f77940 | idiv dword ptr [ecx + 0x40] // 8bd0 | mov edx, eax // 8b5df8 | mov ebx, dword ptr [ebp - 8] // 8b4dec | mov ecx, dword ptr [ebp - 0x14] // 03da | add ebx, edx // 8b55f4 | mov edx, dword ptr [ebp - 0xc] // 895df8 | mov dword ptr [ebp - 8], ebx $sequence_6 = { 8b4c242c 83f940 744a 6a00 ff742414 83f921 ba???????? } // n = 7, score = 100 // 8b4c242c | mov ecx, dword ptr [esp + 0x2c] // 83f940 | cmp ecx, 0x40 // 744a | je 0x4c // 6a00 | push 0 // ff742414 | push dword ptr [esp + 0x14] // 83f921 | cmp ecx, 0x21 // ba???????? | $sequence_7 = { 8b4740 0b4744 ebd2 8b97c4000000 85d2 742a 8b4204 } // n = 7, score = 100 // 8b4740 | mov eax, dword ptr [edi + 0x40] // 0b4744 | or eax, dword ptr [edi + 0x44] // ebd2 | jmp 0xffffffd4 // 8b97c4000000 | mov edx, dword ptr [edi + 0xc4] // 85d2 | test edx, edx // 742a | je 0x2c // 8b4204 | mov eax, dword ptr [edx + 4] $sequence_8 = { ff74241c e8???????? 83c40c 8903 8b4630 85c0 7409 } // n = 7, score = 100 // ff74241c | push dword ptr [esp + 0x1c] // e8???????? | // 83c40c | add esp, 0xc // 8903 | mov dword ptr [ebx], eax // 8b4630 | mov eax, dword ptr [esi + 0x30] // 85c0 | test eax, eax // 7409 | je 0xb $sequence_9 = { 894df8 8b402c 0fb74006 8d148514000000 8d04c9 8955f4 8d04c588000000 } // n = 7, score = 100 // 894df8 | mov dword ptr [ebp - 8], ecx // 8b402c | mov eax, dword ptr [eax + 0x2c] // 0fb74006 | movzx eax, word ptr [eax + 6] // 8d148514000000 | lea edx, [eax*4 + 0x14] // 8d04c9 | lea eax, [ecx + ecx*8] // 8955f4 | mov dword ptr [ebp - 0xc], edx // 8d04c588000000 | lea eax, [eax*8 + 0x88] condition: 7 of them and filesize < 2151424 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below.
Please propose all changes regarding references on the Malpedia library page
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY