SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars


Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c6471701 8bcf e8???????? 8bd8 8b4778 85c0 7502 }
            // n = 7, score = 100
            //   c6471701             | mov                 byte ptr [edi + 0x17], 1
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax
            //   8b4778               | mov                 eax, dword ptr [edi + 0x78]
            //   85c0                 | test                eax, eax
            //   7502                 | jne                 4

        $sequence_1 = { f20f1005???????? f20f118424a8000000 f20f1005???????? f20f118424b0000000 f20f1005???????? f20f118424b8000000 f20f1005???????? }
            // n = 7, score = 100
            //   f20f1005????????     |                     
            //   f20f118424a8000000     | movsd    qword ptr [esp + 0xa8], xmm0
            //   f20f1005????????     |                     
            //   f20f118424b0000000     | movsd    qword ptr [esp + 0xb0], xmm0
            //   f20f1005????????     |                     
            //   f20f118424b8000000     | movsd    qword ptr [esp + 0xb8], xmm0
            //   f20f1005????????     |                     

        $sequence_2 = { ff742450 e8???????? 8bd7 8b7c2448 8bcf e8???????? ff742474 }
            // n = 7, score = 100
            //   ff742450             | push                dword ptr [esp + 0x50]
            //   e8????????           |                     
            //   8bd7                 | mov                 edx, edi
            //   8b7c2448             | mov                 edi, dword ptr [esp + 0x48]
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   ff742474             | push                dword ptr [esp + 0x74]

        $sequence_3 = { 8d8dacfeffff e8???????? 6a00 8d4dd4 51 8d9558feffff 52 }
            // n = 7, score = 100
            //   8d8dacfeffff         | lea                 ecx, [ebp - 0x154]
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   51                   | push                ecx
            //   8d9558feffff         | lea                 edx, [ebp - 0x1a8]
            //   52                   | push                edx

        $sequence_4 = { e9???????? 660f2fd3 0f862c010000 f20f10ac24b0000000 660f2fd5 f20f10b424a8000000 0f28de }
            // n = 7, score = 100
            //   e9????????           |                     
            //   660f2fd3             | comisd              xmm2, xmm3
            //   0f862c010000         | jbe                 0x132
            //   f20f10ac24b0000000     | movsd    xmm5, qword ptr [esp + 0xb0]
            //   660f2fd5             | comisd              xmm2, xmm5
            //   f20f10b424a8000000     | movsd    xmm6, qword ptr [esp + 0xa8]
            //   0f28de               | movaps              xmm3, xmm6

        $sequence_5 = { b9???????? e8???????? 68???????? 8d8d2cf9ffff e8???????? c645fc06 68???????? }
            // n = 7, score = 100
            //   b9????????           |                     
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8d2cf9ffff         | lea                 ecx, [ebp - 0x6d4]
            //   e8????????           |                     
            //   c645fc06             | mov                 byte ptr [ebp - 4], 6
            //   68????????           |                     

        $sequence_6 = { c6400c00 c60600 0f847d000000 85ff 7579 8bce e8???????? }
            // n = 7, score = 100
            //   c6400c00             | mov                 byte ptr [eax + 0xc], 0
            //   c60600               | mov                 byte ptr [esi], 0
            //   0f847d000000         | je                  0x83
            //   85ff                 | test                edi, edi
            //   7579                 | jne                 0x7b
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     

        $sequence_7 = { c1e819 0bd0 8955b8 8b4db8 034db4 894db8 8b55b8 }
            // n = 7, score = 100
            //   c1e819               | shr                 eax, 0x19
            //   0bd0                 | or                  edx, eax
            //   8955b8               | mov                 dword ptr [ebp - 0x48], edx
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]
            //   034db4               | add                 ecx, dword ptr [ebp - 0x4c]
            //   894db8               | mov                 dword ptr [ebp - 0x48], ecx
            //   8b55b8               | mov                 edx, dword ptr [ebp - 0x48]

        $sequence_8 = { be01000000 83c9ff 89742418 66894820 c6400144 eb03 8b5d0c }
            // n = 7, score = 100
            //   be01000000           | mov                 esi, 1
            //   83c9ff               | or                  ecx, 0xffffffff
            //   89742418             | mov                 dword ptr [esp + 0x18], esi
            //   66894820             | mov                 word ptr [eax + 0x20], cx
            //   c6400144             | mov                 byte ptr [eax + 1], 0x44
            //   eb03                 | jmp                 5
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]

        $sequence_9 = { e8???????? eb10 8b542458 03d6 52 8bd0 8bcf }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb10                 | jmp                 0x12
            //   8b542458             | mov                 edx, dword ptr [esp + 0x58]
            //   03d6                 | add                 edx, esi
            //   52                   | push                edx
            //   8bd0                 | mov                 edx, eax
            //   8bcf                 | mov                 ecx, edi

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules