SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars


Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20220808 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c404 8985a0edffff 90 83bda0edffff00 740b 8b85a0edffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8985a0edffff         | mov                 dword ptr [ebp - 0x1260], eax
            //   90                   | nop                 
            //   83bda0edffff00       | cmp                 dword ptr [ebp - 0x1260], 0
            //   740b                 | je                  0xd
            //   8b85a0edffff         | mov                 eax, dword ptr [ebp - 0x1260]

        $sequence_1 = { 8944246c 50 e8???????? 8b4b14 83c404 837c245400 8b442414 }
            // n = 7, score = 100
            //   8944246c             | mov                 dword ptr [esp + 0x6c], eax
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4b14               | mov                 ecx, dword ptr [ebx + 0x14]
            //   83c404               | add                 esp, 4
            //   837c245400           | cmp                 dword ptr [esp + 0x54], 0
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]

        $sequence_2 = { c744245801000000 85c0 7e4e 85d2 754a 8b4c2420 f6411004 }
            // n = 7, score = 100
            //   c744245801000000     | mov                 dword ptr [esp + 0x58], 1
            //   85c0                 | test                eax, eax
            //   7e4e                 | jle                 0x50
            //   85d2                 | test                edx, edx
            //   754a                 | jne                 0x4c
            //   8b4c2420             | mov                 ecx, dword ptr [esp + 0x20]
            //   f6411004             | test                byte ptr [ecx + 0x10], 4

        $sequence_3 = { e8???????? 50 e8???????? 83c408 68???????? 8b4d08 83c118 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   68????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83c118               | add                 ecx, 0x18

        $sequence_4 = { 90 0fb74f08 03da 8a03 88442423 f6c104 0f8408020000 }
            // n = 7, score = 100
            //   90                   | nop                 
            //   0fb74f08             | movzx               ecx, word ptr [edi + 8]
            //   03da                 | add                 ebx, edx
            //   8a03                 | mov                 al, byte ptr [ebx]
            //   88442423             | mov                 byte ptr [esp + 0x23], al
            //   f6c104               | test                cl, 4
            //   0f8408020000         | je                  0x20e

        $sequence_5 = { 895c2418 8944240c 81fb80000000 7309 8819 b801000000 eb10 }
            // n = 7, score = 100
            //   895c2418             | mov                 dword ptr [esp + 0x18], ebx
            //   8944240c             | mov                 dword ptr [esp + 0xc], eax
            //   81fb80000000         | cmp                 ebx, 0x80
            //   7309                 | jae                 0xb
            //   8819                 | mov                 byte ptr [ecx], bl
            //   b801000000           | mov                 eax, 1
            //   eb10                 | jmp                 0x12

        $sequence_6 = { e9???????? 8b4df4 e8???????? 8945f8 837df800 740b 8b4df4 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   837df800             | cmp                 dword ptr [ebp - 8], 0
            //   740b                 | je                  0xd
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_7 = { 8b9514feffff 3945a4 0f851b120000 8b8d04feffff 8b8508feffff 83c214 e9???????? }
            // n = 7, score = 100
            //   8b9514feffff         | mov                 edx, dword ptr [ebp - 0x1ec]
            //   3945a4               | cmp                 dword ptr [ebp - 0x5c], eax
            //   0f851b120000         | jne                 0x1221
            //   8b8d04feffff         | mov                 ecx, dword ptr [ebp - 0x1fc]
            //   8b8508feffff         | mov                 eax, dword ptr [ebp - 0x1f8]
            //   83c214               | add                 edx, 0x14
            //   e9????????           |                     

        $sequence_8 = { 897e40 894644 85d2 0f8520060000 8bbdd4fdffff e9???????? 8b4e28 }
            // n = 7, score = 100
            //   897e40               | mov                 dword ptr [esi + 0x40], edi
            //   894644               | mov                 dword ptr [esi + 0x44], eax
            //   85d2                 | test                edx, edx
            //   0f8520060000         | jne                 0x626
            //   8bbdd4fdffff         | mov                 edi, dword ptr [ebp - 0x22c]
            //   e9????????           |                     
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]

        $sequence_9 = { c1e304 03d9 894f10 895c2414 0f1103 8b4734 8b0f }
            // n = 7, score = 100
            //   c1e304               | shl                 ebx, 4
            //   03d9                 | add                 ebx, ecx
            //   894f10               | mov                 dword ptr [edi + 0x10], ecx
            //   895c2414             | mov                 dword ptr [esp + 0x14], ebx
            //   0f1103               | movups              xmmword ptr [ebx], xmm0
            //   8b4734               | mov                 eax, dword ptr [edi + 0x34]
            //   8b0f                 | mov                 ecx, dword ptr [edi]

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules