SYMBOLCOMMON_NAMEaka. SYNONYMS
win.socelars (Back to overview)

Socelars

Socelars is an infostealer with main focus on:
* Facebook Stealer (ads/manager)
* Cookie Stealer | AdsCreditCard {Amazon}

References
2021-09-27Trend MicroRyan Maglaque, Joelson Soares, Gilbert Sison, Arianne Dela Cruz, Warren Sto.Tomas
@online{maglaque:20210927:fake:e02e3a3, author = {Ryan Maglaque and Joelson Soares and Gilbert Sison and Arianne Dela Cruz and Warren Sto.Tomas}, title = {{Fake Installers Drop Malware and Open Doors for Opportunistic Attackers}}, date = {2021-09-27}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html}, language = {English}, urldate = {2021-10-05} } Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
RedLine Stealer Socelars Vidar
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2019-12-02Bleeping ComputerLawrence Abrams
@online{abrams:20191202:facebook:5630b4e, author = {Lawrence Abrams}, title = {{Facebook Ads Manager Targeted by New Info-Stealing Trojan}}, date = {2019-12-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/}, language = {English}, urldate = {2020-02-26} } Facebook Ads Manager Targeted by New Info-Stealing Trojan
Socelars
2019-12-02Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191202:socelars:8d5d01c, author = {Vitali Kremez}, title = {{Tweet on Socelars Stealer}}, date = {2019-12-02}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1201584107928653824}, language = {English}, urldate = {2020-01-17} } Tweet on Socelars Stealer
Socelars
Yara Rules
[TLP:WHITE] win_socelars_auto (20220411 | Detects win.socelars.)
rule win_socelars_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.socelars."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c408 8b4c2418 46 83fe03 0f8c33ffffff 833d????????00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b4c2418             | mov                 ecx, dword ptr [esp + 0x18]
            //   46                   | inc                 esi
            //   83fe03               | cmp                 esi, 3
            //   0f8c33ffffff         | jl                  0xffffff39
            //   833d????????00       |                     

        $sequence_1 = { ff742448 e8???????? 83c40c 85c0 0f85c4110000 ff742408 8b542424 }
            // n = 7, score = 100
            //   ff742448             | push                dword ptr [esp + 0x48]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f85c4110000         | jne                 0x11ca
            //   ff742408             | push                dword ptr [esp + 8]
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]

        $sequence_2 = { c745f400000000 c745d800100000 0f4fc8 895ddc 8d4107 83e0f8 8945f8 }
            // n = 7, score = 100
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   c745d800100000       | mov                 dword ptr [ebp - 0x28], 0x1000
            //   0f4fc8               | cmovg               ecx, eax
            //   895ddc               | mov                 dword ptr [ebp - 0x24], ebx
            //   8d4107               | lea                 eax, dword ptr [ecx + 7]
            //   83e0f8               | and                 eax, 0xfffffff8
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_3 = { c7401c00000000 8b442430 40 50 ff742460 8d842498000000 50 }
            // n = 7, score = 100
            //   c7401c00000000       | mov                 dword ptr [eax + 0x1c], 0
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   ff742460             | push                dword ptr [esp + 0x60]
            //   8d842498000000       | lea                 eax, dword ptr [esp + 0x98]
            //   50                   | push                eax

        $sequence_4 = { fec8 884313 0fb6c0 8b94835c010000 0fbf472a 8944241c 8b8688000000 }
            // n = 7, score = 100
            //   fec8                 | dec                 al
            //   884313               | mov                 byte ptr [ebx + 0x13], al
            //   0fb6c0               | movzx               eax, al
            //   8b94835c010000       | mov                 edx, dword ptr [ebx + eax*4 + 0x15c]
            //   0fbf472a             | movsx               eax, word ptr [edi + 0x2a]
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   8b8688000000         | mov                 eax, dword ptr [esi + 0x88]

        $sequence_5 = { 8bd0 33c0 89542438 83c414 33db 663b412a 0f8d6f010000 }
            // n = 7, score = 100
            //   8bd0                 | mov                 edx, eax
            //   33c0                 | xor                 eax, eax
            //   89542438             | mov                 dword ptr [esp + 0x38], edx
            //   83c414               | add                 esp, 0x14
            //   33db                 | xor                 ebx, ebx
            //   663b412a             | cmp                 ax, word ptr [ecx + 0x2a]
            //   0f8d6f010000         | jge                 0x175

        $sequence_6 = { eb07 3c77 750e 8b4214 8b00 833801 0f8fbe000000 }
            // n = 7, score = 100
            //   eb07                 | jmp                 9
            //   3c77                 | cmp                 al, 0x77
            //   750e                 | jne                 0x10
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   833801               | cmp                 dword ptr [eax], 1
            //   0f8fbe000000         | jg                  0xc4

        $sequence_7 = { 8d4ff4 8bd3 51 8d4704 50 6894000000 e8???????? }
            // n = 7, score = 100
            //   8d4ff4               | lea                 ecx, dword ptr [edi - 0xc]
            //   8bd3                 | mov                 edx, ebx
            //   51                   | push                ecx
            //   8d4704               | lea                 eax, dword ptr [edi + 4]
            //   50                   | push                eax
            //   6894000000           | push                0x94
            //   e8????????           |                     

        $sequence_8 = { 8b4b48 bf01000000 8bc7 6683494e02 5f 5e 5b }
            // n = 7, score = 100
            //   8b4b48               | mov                 ecx, dword ptr [ebx + 0x48]
            //   bf01000000           | mov                 edi, 1
            //   8bc7                 | mov                 eax, edi
            //   6683494e02           | or                  word ptr [ecx + 0x4e], 2
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_9 = { eb2e 8b8c24c8000000 ba???????? 8b01 8b4808 e8???????? 85c0 }
            // n = 7, score = 100
            //   eb2e                 | jmp                 0x30
            //   8b8c24c8000000       | mov                 ecx, dword ptr [esp + 0xc8]
            //   ba????????           |                     
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

    condition:
        7 of them and filesize < 2151424
}
Download all Yara Rules