SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars


Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars vidar
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20211008 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8985ccdbffff 8b8d20dcffff 83c902 898d20dcffff 8b95ccdbffff 899518dcffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8985ccdbffff         | mov                 dword ptr [ebp - 0x2434], eax
            //   8b8d20dcffff         | mov                 ecx, dword ptr [ebp - 0x23e0]
            //   83c902               | or                  ecx, 2
            //   898d20dcffff         | mov                 dword ptr [ebp - 0x23e0], ecx
            //   8b95ccdbffff         | mov                 edx, dword ptr [ebp - 0x2434]
            //   899518dcffff         | mov                 dword ptr [ebp - 0x23e8], edx

        $sequence_1 = { 8b5d0c 395df4 7c1c 8b5508 7f05 3955f0 7612 }
            // n = 7, score = 100
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   395df4               | cmp                 dword ptr [ebp - 0xc], ebx
            //   7c1c                 | jl                  0x1e
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   7f05                 | jg                  7
            //   3955f0               | cmp                 dword ptr [ebp - 0x10], edx
            //   7612                 | jbe                 0x14

        $sequence_2 = { e8???????? 85c0 0f85fa000000 eb03 c60761 8b442414 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   0f85fa000000         | jne                 0x100
            //   eb03                 | jmp                 5
            //   c60761               | mov                 byte ptr [edi], 0x61
            //   8b442414             | mov                 eax, dword ptr [esp + 0x14]
            //   85c0                 | test                eax, eax

        $sequence_3 = { c7471000000000 83bed400000000 741d 8bcf e8???????? 8bd8 85db }
            // n = 7, score = 100
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0
            //   83bed400000000       | cmp                 dword ptr [esi + 0xd4], 0
            //   741d                 | je                  0x1f
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx

        $sequence_4 = { e8???????? 8b4874 ffd1 b814000000 e9???????? 90 ba01000000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4874               | mov                 ecx, dword ptr [eax + 0x74]
            //   ffd1                 | call                ecx
            //   b814000000           | mov                 eax, 0x14
            //   e9????????           |                     
            //   90                   | nop                 
            //   ba01000000           | mov                 edx, 1

        $sequence_5 = { c745ec99974a00 894df8 8945fc 64a100000000 8945e8 8d45e8 64a300000000 }
            // n = 7, score = 100
            //   c745ec99974a00       | mov                 dword ptr [ebp - 0x14], 0x4a9799
            //   894df8               | mov                 dword ptr [ebp - 8], ecx
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   64a100000000         | mov                 eax, dword ptr fs:[0]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   64a300000000         | mov                 dword ptr fs:[0], eax

        $sequence_6 = { 8b45f0 3b45d0 7d63 8b45f0 99 f77de0 c1e005 }
            // n = 7, score = 100
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   3b45d0               | cmp                 eax, dword ptr [ebp - 0x30]
            //   7d63                 | jge                 0x65
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   99                   | cdq                 
            //   f77de0               | idiv                dword ptr [ebp - 0x20]
            //   c1e005               | shl                 eax, 5

        $sequence_7 = { ff742468 e8???????? 8b442434 83c408 8b4c240c 8b542434 c6401c00 }
            // n = 7, score = 100
            //   ff742468             | push                dword ptr [esp + 0x68]
            //   e8????????           |                     
            //   8b442434             | mov                 eax, dword ptr [esp + 0x34]
            //   83c408               | add                 esp, 8
            //   8b4c240c             | mov                 ecx, dword ptr [esp + 0xc]
            //   8b542434             | mov                 edx, dword ptr [esp + 0x34]
            //   c6401c00             | mov                 byte ptr [eax + 0x1c], 0

        $sequence_8 = { c645fc08 8d8d00ffffff e8???????? 68???????? 8b4d08 81c1a8000000 e8???????? }
            // n = 7, score = 100
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   8d8d00ffffff         | lea                 ecx, dword ptr [ebp - 0x100]
            //   e8????????           |                     
            //   68????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   81c1a8000000         | add                 ecx, 0xa8
            //   e8????????           |                     

        $sequence_9 = { c744242800000000 8bf2 83caff 89742410 8954241c 8b5f08 895c2424 }
            // n = 7, score = 100
            //   c744242800000000     | mov                 dword ptr [esp + 0x28], 0
            //   8bf2                 | mov                 esi, edx
            //   83caff               | or                  edx, 0xffffffff
            //   89742410             | mov                 dword ptr [esp + 0x10], esi
            //   8954241c             | mov                 dword ptr [esp + 0x1c], edx
            //   8b5f08               | mov                 ebx, dword ptr [edi + 8]
            //   895c2424             | mov                 dword ptr [esp + 0x24], ebx

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules