SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars

VTCollection    

Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2022-10-13SpamhausSpamhaus Malware Labs
Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-15SekoiaThreat & Detection Research Team
PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2021-09-27Trend MicroArianne Dela Cruz, Gilbert Sison, Joelson Soares, Ryan Maglaque, Warren Sto.Tomas
Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2020-07-29ESET Researchwelivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Twitter (@VK_intel)Vitali Kremez
Tweet on Socelars Stealer
Socelars
2019-12-02Bleeping ComputerLawrence Abrams
Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20230808 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f6462808 894618 7515 8b4c243c ba14000000 e8???????? 89842430010000 }
            // n = 7, score = 100
            //   f6462808             | test                byte ptr [esi + 0x28], 8
            //   894618               | mov                 dword ptr [esi + 0x18], eax
            //   7515                 | jne                 0x17
            //   8b4c243c             | mov                 ecx, dword ptr [esp + 0x3c]
            //   ba14000000           | mov                 edx, 0x14
            //   e8????????           |                     
            //   89842430010000       | mov                 dword ptr [esp + 0x130], eax

        $sequence_1 = { 8b4dfc 83b9cc03000020 7409 c745c00c000000 eb07 c745c00e000000 8b55fc }
            // n = 7, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83b9cc03000020       | cmp                 dword ptr [ecx + 0x3cc], 0x20
            //   7409                 | je                  0xb
            //   c745c00c000000       | mov                 dword ptr [ebp - 0x40], 0xc
            //   eb07                 | jmp                 9
            //   c745c00e000000       | mov                 dword ptr [ebp - 0x40], 0xe
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_2 = { ff460c 807e0a00 750a 8bce e8???????? 8a4e09 8b430c }
            // n = 7, score = 100
            //   ff460c               | inc                 dword ptr [esi + 0xc]
            //   807e0a00             | cmp                 byte ptr [esi + 0xa], 0
            //   750a                 | jne                 0xc
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8a4e09               | mov                 cl, byte ptr [esi + 9]
            //   8b430c               | mov                 eax, dword ptr [ebx + 0xc]

        $sequence_3 = { ff730c ff7308 e8???????? 8bf8 83c410 85ff 0f8480000000 }
            // n = 7, score = 100
            //   ff730c               | push                dword ptr [ebx + 0xc]
            //   ff7308               | push                dword ptr [ebx + 8]
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c410               | add                 esp, 0x10
            //   85ff                 | test                edi, edi
            //   0f8480000000         | je                  0x86

        $sequence_4 = { 8b542410 8b5248 f6421c20 0f8437050000 8b4214 ff4878 8b8888000000 }
            // n = 7, score = 100
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   8b5248               | mov                 edx, dword ptr [edx + 0x48]
            //   f6421c20             | test                byte ptr [edx + 0x1c], 0x20
            //   0f8437050000         | je                  0x53d
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   ff4878               | dec                 dword ptr [eax + 0x78]
            //   8b8888000000         | mov                 ecx, dword ptr [eax + 0x88]

        $sequence_5 = { e9???????? 8b4c243c 33c0 89842430010000 ba43000000 8b472c 40 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b4c243c             | mov                 ecx, dword ptr [esp + 0x3c]
            //   33c0                 | xor                 eax, eax
            //   89842430010000       | mov                 dword ptr [esp + 0x130], eax
            //   ba43000000           | mov                 edx, 0x43
            //   8b472c               | mov                 eax, dword ptr [edi + 0x2c]
            //   40                   | inc                 eax

        $sequence_6 = { f7da 56 1bd2 83c235 eb55 6a00 ff77c4 }
            // n = 7, score = 100
            //   f7da                 | neg                 edx
            //   56                   | push                esi
            //   1bd2                 | sbb                 edx, edx
            //   83c235               | add                 edx, 0x35
            //   eb55                 | jmp                 0x57
            //   6a00                 | push                0
            //   ff77c4               | push                dword ptr [edi - 0x3c]

        $sequence_7 = { e8???????? 83c40c eb36 8d4201 898188000000 8d0c92 8b442438 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb36                 | jmp                 0x38
            //   8d4201               | lea                 eax, [edx + 1]
            //   898188000000         | mov                 dword ptr [ecx + 0x88], eax
            //   8d0c92               | lea                 ecx, [edx + edx*4]
            //   8b442438             | mov                 eax, dword ptr [esp + 0x38]

        $sequence_8 = { fe4613 8a4619 fec8 0fb6c8 884619 3bf9 7d24 }
            // n = 7, score = 100
            //   fe4613               | inc                 byte ptr [esi + 0x13]
            //   8a4619               | mov                 al, byte ptr [esi + 0x19]
            //   fec8                 | dec                 al
            //   0fb6c8               | movzx               ecx, al
            //   884619               | mov                 byte ptr [esi + 0x19], al
            //   3bf9                 | cmp                 edi, ecx
            //   7d24                 | jge                 0x26

        $sequence_9 = { ff742424 e8???????? 83c40c eb32 8b54241c 8d4101 898688000000 }
            // n = 7, score = 100
            //   ff742424             | push                dword ptr [esp + 0x24]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb32                 | jmp                 0x34
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8d4101               | lea                 eax, [ecx + 1]
            //   898688000000         | mov                 dword ptr [esi + 0x88], eax

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules