SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars


Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20210616 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8975f8 03c8 8945f4 8b4370 894dfc 8b1406 85d2 }
            // n = 7, score = 100
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   03c8                 | add                 ecx, eax
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b4370               | mov                 eax, dword ptr [ebx + 0x70]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b1406               | mov                 edx, dword ptr [esi + eax]
            //   85d2                 | test                edx, edx

        $sequence_1 = { c7427880969800 8b45fc c7407ce8030000 8b4dfc c6416400 8b55fc 8b4258 }
            // n = 7, score = 100
            //   c7427880969800       | mov                 dword ptr [edx + 0x78], 0x989680
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c7407ce8030000       | mov                 dword ptr [eax + 0x7c], 0x3e8
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c6416400             | mov                 byte ptr [ecx + 0x64], 0
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   8b4258               | mov                 eax, dword ptr [edx + 0x58]

        $sequence_2 = { c7470401000000 6a00 51 c70701000000 e8???????? 8b4c2444 83c40c }
            // n = 7, score = 100
            //   c7470401000000       | mov                 dword ptr [edi + 4], 1
            //   6a00                 | push                0
            //   51                   | push                ecx
            //   c70701000000         | mov                 dword ptr [edi], 1
            //   e8????????           |                     
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]
            //   83c40c               | add                 esp, 0xc

        $sequence_3 = { ffd0 83c410 8b9514feffff 8b4204 3b05???????? 7c37 ba01000000 }
            // n = 7, score = 100
            //   ffd0                 | call                eax
            //   83c410               | add                 esp, 0x10
            //   8b9514feffff         | mov                 edx, dword ptr [ebp - 0x1ec]
            //   8b4204               | mov                 eax, dword ptr [edx + 4]
            //   3b05????????         |                     
            //   7c37                 | jl                  0x39
            //   ba01000000           | mov                 edx, 1

        $sequence_4 = { eb04 3bc6 7222 8b542424 8b7c2414 ff4c243c 8b742444 }
            // n = 7, score = 100
            //   eb04                 | jmp                 6
            //   3bc6                 | cmp                 eax, esi
            //   7222                 | jb                  0x24
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   8b7c2414             | mov                 edi, dword ptr [esp + 0x14]
            //   ff4c243c             | dec                 dword ptr [esp + 0x3c]
            //   8b742444             | mov                 esi, dword ptr [esp + 0x44]

        $sequence_5 = { 8d57f4 8bcb e8???????? e9???????? 6a00 ff7704 ba94000000 }
            // n = 7, score = 100
            //   8d57f4               | lea                 edx, dword ptr [edi - 0xc]
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   e9????????           |                     
            //   6a00                 | push                0
            //   ff7704               | push                dword ptr [edi + 4]
            //   ba94000000           | mov                 edx, 0x94

        $sequence_6 = { c704883f000000 89548804 c744880800000000 c744880c00000000 c744881000000000 8d9424a0000000 8bcf }
            // n = 7, score = 100
            //   c704883f000000       | mov                 dword ptr [eax + ecx*4], 0x3f
            //   89548804             | mov                 dword ptr [eax + ecx*4 + 4], edx
            //   c744880800000000     | mov                 dword ptr [eax + ecx*4 + 8], 0
            //   c744880c00000000     | mov                 dword ptr [eax + ecx*4 + 0xc], 0
            //   c744881000000000     | mov                 dword ptr [eax + ecx*4 + 0x10], 0
            //   8d9424a0000000       | lea                 edx, dword ptr [esp + 0xa0]
            //   8bcf                 | mov                 ecx, edi

        $sequence_7 = { c744881000000000 8b460c 8b4848 85c9 7418 8b44247c 8d048504000000 }
            // n = 7, score = 100
            //   c744881000000000     | mov                 dword ptr [eax + ecx*4 + 0x10], 0
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]
            //   8b4848               | mov                 ecx, dword ptr [eax + 0x48]
            //   85c9                 | test                ecx, ecx
            //   7418                 | je                  0x1a
            //   8b44247c             | mov                 eax, dword ptr [esp + 0x7c]
            //   8d048504000000       | lea                 eax, dword ptr [eax*4 + 4]

        $sequence_8 = { c644340c10 eb6a 8b401c 89442420 8944b424 83fe03 0f8351010000 }
            // n = 7, score = 100
            //   c644340c10           | mov                 byte ptr [esp + esi + 0xc], 0x10
            //   eb6a                 | jmp                 0x6c
            //   8b401c               | mov                 eax, dword ptr [eax + 0x1c]
            //   89442420             | mov                 dword ptr [esp + 0x20], eax
            //   8944b424             | mov                 dword ptr [esp + esi*4 + 0x24], eax
            //   83fe03               | cmp                 esi, 3
            //   0f8351010000         | jae                 0x157

        $sequence_9 = { ffb5dcfdffff 8a5008 e8???????? 83c404 8b9500feffff 85d2 0f85d3250000 }
            // n = 7, score = 100
            //   ffb5dcfdffff         | push                dword ptr [ebp - 0x224]
            //   8a5008               | mov                 dl, byte ptr [eax + 8]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b9500feffff         | mov                 edx, dword ptr [ebp - 0x200]
            //   85d2                 | test                edx, edx
            //   0f85d3250000         | jne                 0x25d9

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules