SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars

Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20230407 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c404 90 8b8d34ffffff 51 e8???????? 83c404 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   90                   | nop                 
            //   8b8d34ffffff         | mov                 ecx, dword ptr [ebp - 0xcc]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { f6462810 0f8592030000 50 ff761c 8b742444 ba0e000000 8bce }
            // n = 7, score = 100
            //   f6462810             | test                byte ptr [esi + 0x28], 0x10
            //   0f8592030000         | jne                 0x398
            //   50                   | push                eax
            //   ff761c               | push                dword ptr [esi + 0x1c]
            //   8b742444             | mov                 esi, dword ptr [esp + 0x44]
            //   ba0e000000           | mov                 edx, 0xe
            //   8bce                 | mov                 ecx, esi

        $sequence_2 = { f6458504 7451 8b9574ffffff 85d2 7443 8b8d70ffffff 85c9 }
            // n = 7, score = 100
            //   f6458504             | test                byte ptr [ebp - 0x7b], 4
            //   7451                 | je                  0x53
            //   8b9574ffffff         | mov                 edx, dword ptr [ebp - 0x8c]
            //   85d2                 | test                edx, edx
            //   7443                 | je                  0x45
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]
            //   85c9                 | test                ecx, ecx

        $sequence_3 = { f20f100e eb2e f6c204 740f 8b5604 8b0e e8???????? }
            // n = 7, score = 100
            //   f20f100e             | movsd               xmm1, qword ptr [esi]
            //   eb2e                 | jmp                 0x30
            //   f6c204               | test                dl, 4
            //   740f                 | je                  0x11
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   e8????????           |                     

        $sequence_4 = { b8???????? eb05 8b4758 03c1 895008 ff06 8b07 }
            // n = 7, score = 100
            //   b8????????           |                     
            //   eb05                 | jmp                 7
            //   8b4758               | mov                 eax, dword ptr [edi + 0x58]
            //   03c1                 | add                 eax, ecx
            //   895008               | mov                 dword ptr [eax + 8], edx
            //   ff06                 | inc                 dword ptr [esi]
            //   8b07                 | mov                 eax, dword ptr [edi]

        $sequence_5 = { f77940 8bd0 8b5df8 8b4dec 03da 8b55f4 895df8 }
            // n = 7, score = 100
            //   f77940               | idiv                dword ptr [ecx + 0x40]
            //   8bd0                 | mov                 edx, eax
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   03da                 | add                 ebx, edx
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_6 = { 8b4c242c 83f940 744a 6a00 ff742414 83f921 ba???????? }
            // n = 7, score = 100
            //   8b4c242c             | mov                 ecx, dword ptr [esp + 0x2c]
            //   83f940               | cmp                 ecx, 0x40
            //   744a                 | je                  0x4c
            //   6a00                 | push                0
            //   ff742414             | push                dword ptr [esp + 0x14]
            //   83f921               | cmp                 ecx, 0x21
            //   ba????????           |                     

        $sequence_7 = { 8b4740 0b4744 ebd2 8b97c4000000 85d2 742a 8b4204 }
            // n = 7, score = 100
            //   8b4740               | mov                 eax, dword ptr [edi + 0x40]
            //   0b4744               | or                  eax, dword ptr [edi + 0x44]
            //   ebd2                 | jmp                 0xffffffd4
            //   8b97c4000000         | mov                 edx, dword ptr [edi + 0xc4]
            //   85d2                 | test                edx, edx
            //   742a                 | je                  0x2c
            //   8b4204               | mov                 eax, dword ptr [edx + 4]

        $sequence_8 = { ff74241c e8???????? 83c40c 8903 8b4630 85c0 7409 }
            // n = 7, score = 100
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8903                 | mov                 dword ptr [ebx], eax
            //   8b4630               | mov                 eax, dword ptr [esi + 0x30]
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb

        $sequence_9 = { 894df8 8b402c 0fb74006 8d148514000000 8d04c9 8955f4 8d04c588000000 }
            // n = 7, score = 100
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8b402c               | mov                 eax, dword ptr [eax + 0x2c]
            //   0fb74006             | movzx               eax, word ptr [eax + 6]
            //   8d148514000000       | lea                 edx, [eax*4 + 0x14]
            //   8d04c9               | lea                 eax, [ecx + ecx*8]
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   8d04c588000000       | lea                 eax, [eax*8 + 0x88]

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules