SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars


Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2022-10-13SpamhausSpamhaus Malware Labs
@techreport{labs:20221013:spamhaus:43e3190, author = {Spamhaus Malware Labs}, title = {{Spamhaus Botnet Threat Update Q3 2022}}, date = {2022-10-13}, institution = {Spamhaus}, url = {https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf}, language = {English}, urldate = {2022-12-29} } Spamhaus Botnet Threat Update Q3 2022
FluBot Arkei Stealer AsyncRAT Ave Maria BumbleBee Cobalt Strike DCRat Dridex Emotet Loki Password Stealer (PWS) Nanocore RAT NetWire RC NjRAT QakBot RecordBreaker RedLine Stealer Remcos Socelars Tofsee Vjw0rm
2022-09-15SekoiaThreat & Detection Research Team
@online{team:20220915:privateloader:d88c7b2, author = {Threat & Detection Research Team}, title = {{PrivateLoader: the loader of the prevalent ruzki PPI service}}, date = {2022-09-15}, organization = {Sekoia}, url = {https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/}, language = {English}, urldate = {2022-09-19} } PrivateLoader: the loader of the prevalent ruzki PPI service
Agent Tesla Coinminer DanaBot DCRat Eternity Stealer Glupteba Mars Stealer NetSupportManager RAT Nymaim Nymaim2 Phoenix Keylogger PrivateLoader Raccoon RedLine Stealer SmokeLoader Socelars STOP Vidar YTStealer
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20230125 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d9534deffff 52 8d8d6cdcffff e8???????? 8d856cdcffff 50 e8???????? }
            // n = 7, score = 100
            //   8d9534deffff         | lea                 edx, [ebp - 0x21cc]
            //   52                   | push                edx
            //   8d8d6cdcffff         | lea                 ecx, [ebp - 0x2394]
            //   e8????????           |                     
            //   8d856cdcffff         | lea                 eax, [ebp - 0x2394]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_1 = { e8???????? c645fc0e 6a00 8d8528ffffff 50 8d8d10ffffff 51 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   6a00                 | push                0
            //   8d8528ffffff         | lea                 eax, [ebp - 0xd8]
            //   50                   | push                eax
            //   8d8d10ffffff         | lea                 ecx, [ebp - 0xf0]
            //   51                   | push                ecx

        $sequence_2 = { e8???????? 8bcf e8???????? 8b4c2410 8bd7 e8???????? 8bc6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   8b4c2410             | mov                 ecx, dword ptr [esp + 0x10]
            //   8bd7                 | mov                 edx, edi
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { c744881000000000 85db 740d 8bcb e8???????? eb04 8b742430 }
            // n = 7, score = 100
            //   c744881000000000     | mov                 dword ptr [eax + ecx*4 + 0x10], 0
            //   85db                 | test                ebx, ebx
            //   740d                 | je                  0xf
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   eb04                 | jmp                 6
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]

        $sequence_4 = { e8???????? 8b4dd8 83c104 8b55dc 8911 8b45e0 894104 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   83c104               | add                 ecx, 4
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   8911                 | mov                 dword ptr [ecx], edx
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   894104               | mov                 dword ptr [ecx + 4], eax

        $sequence_5 = { e8???????? 8b442440 85c0 740e 6a01 8bd0 8bcb }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   85c0                 | test                eax, eax
            //   740e                 | je                  0x10
            //   6a01                 | push                1
            //   8bd0                 | mov                 edx, eax
            //   8bcb                 | mov                 ecx, ebx

        $sequence_6 = { 8b54244c 83c210 897c2440 8954244c 0fbf432a 3bf8 0f8cc6feffff }
            // n = 7, score = 100
            //   8b54244c             | mov                 edx, dword ptr [esp + 0x4c]
            //   83c210               | add                 edx, 0x10
            //   897c2440             | mov                 dword ptr [esp + 0x40], edi
            //   8954244c             | mov                 dword ptr [esp + 0x4c], edx
            //   0fbf432a             | movsx               eax, word ptr [ebx + 0x2a]
            //   3bf8                 | cmp                 edi, eax
            //   0f8cc6feffff         | jl                  0xfffffecc

        $sequence_7 = { e8???????? 83c410 66834e0a04 8b442428 83c730 8b4c2450 40 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   66834e0a04           | or                  word ptr [esi + 0xa], 4
            //   8b442428             | mov                 eax, dword ptr [esp + 0x28]
            //   83c730               | add                 edi, 0x30
            //   8b4c2450             | mov                 ecx, dword ptr [esp + 0x50]
            //   40                   | inc                 eax

        $sequence_8 = { e8???????? 8bf0 83c40c 85f6 750c 897b38 8b7c2424 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax
            //   83c40c               | add                 esp, 0xc
            //   85f6                 | test                esi, esi
            //   750c                 | jne                 0xe
            //   897b38               | mov                 dword ptr [ebx + 0x38], edi
            //   8b7c2424             | mov                 edi, dword ptr [esp + 0x24]

        $sequence_9 = { 75f6 894c2420 6690 8b7e30 8d442440 8b4c2408 8bd6 }
            // n = 7, score = 100
            //   75f6                 | jne                 0xfffffff8
            //   894c2420             | mov                 dword ptr [esp + 0x20], ecx
            //   6690                 | nop                 
            //   8b7e30               | mov                 edi, dword ptr [esi + 0x30]
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   8bd6                 | mov                 edx, esi

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules