MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba
SHA3-384 hash: fec04f9adc2c603c83a6e7ebd69c868e2a490ebaa4d96b14330bac1b48dbc72102dc42236733284ca54198f27c1dd3b7
SHA1 hash: 2364a4fcdef333060671a31476eb9aa55ed87a91
MD5 hash: e5979067cd620d401638a07e4230dfed
humanhash: three-nuts-johnny-black
File name:SecuriteInfo.com.Trojan-Dropper.Win32.Agent.10415.13252
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'876'519 bytes
First seen:2023-12-31 19:47:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:QS9IJpIhDL5P9WTZVMbyUOx2P28O0TAvfgCm9reCUo4dm8:wpGDLWcUx2P45m9iCz4dD
Threatray 109 similar samples on MalwareBazaar
TLSH T1A63633B397A5883CF4D0DC38FDB7972A4C32550B6B398876E16D69FBD9A24C24C19708
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Dropper.Win32.Agent.10415.13252.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Creating a file
Creating a service
Launching a process
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6591c5747d4bdb7f8b01d791/reports/d3c24e8a-1f7d-4c01-bc4c-7b7ea8e33ab5/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Argotronic GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2c94cc72-dae8-4b10-82fc-9d7daa7ebcc7
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368418
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368418 Sample: SecuriteInfo.com.Trojan-Dro... Startdate: 31/12/2023 Architecture: WINDOWS Score: 100 43 time.windows.com 2->43 45 Snort IDS alert for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 6 other signatures 2->51 9 SecuriteInfo.com.Trojan-Dropper.Win32.Agent.10415.13252.exe 2 2->9         started        12 svchost.exe 2->12         started        signatures3 process4 file5 31 SecuriteInfo.com.T...ent.10415.13252.tmp, PE32 9->31 dropped 14 SecuriteInfo.com.Trojan-Dropper.Win32.Agent.10415.13252.tmp 17 63 9->14         started        process6 file7 33 C:\...\vstorage-extension.exe, PE32 14->33 dropped 35 C:\Program Files (x86)\...\is-KFBD8.tmp, PE32 14->35 dropped 37 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 14->37 dropped 39 83 other files (none is malicious) 14->39 dropped 17 vstorage-extension.exe 1 15 14->17         started        20 net.exe 1 14->20         started        22 vstorage-extension.exe 1 2 14->22         started        process8 dnsIp9 41 bdjspwq.com 185.196.8.22, 49708, 49709, 49710 SIMPLECARRER2IT Switzerland 17->41 25 conhost.exe 20->25         started        27 net1.exe 1 20->27         started        29 C:\ProgramData\...\XBLNetconfig73.exe, PE32 22->29 dropped file10 process11
Score:
16%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahdzbp3cn2vzcuncsqaopp26yhzpeqkuxj556ycufdgyqccxzk5a._file
Verdict:
malicious
Similar samples:
06c0877edf7076f1d18b6d6a0dfe5e1a28e909cfbfb5868c36f5e0c7b4ad6082
Socks5Systemz
21d5983266ef2badb1e1557ff238a60f411780f4098907674212ee2d2df95e70
Socks5Systemz
34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6
Socks5Systemz
4632afaaca26e69491829d3b0572f3428b4c1c6bbaa290f988c8ed9860973367
Socks5Systemz
5dad68a8228450333b6202358c2fc50fe5ec7527c51e391c13354ab7ce27e667
Socks5Systemz
7157ecb7914f8782239cc0160a3cd6ff622e204651d957ac7846b4ad7e7d4343
Socks5Systemz
ade5d725be0a886266fda7a680503eafc131c40f608d1c86cfbfffa5a6a88370
Socks5Systemz
e2b96622784705d2e1d7e7d117263a70b02fcd82c93f19dc8e5866a4bafbd1ad
Socks5Systemz
+ 99 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231231-yh35bsdber/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
880fe6915ce2aeb4433f161c5f4808e9e04e1ab19a95eaf8fa5e926dbb4f4efa
MD5 hash:
68cdd7229cc11927188921cc807a4537
SHA1 hash:
261b677377ef70b05aa5914658ac565b5281149c
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/da3f3148-fde7-4060-aa6d-03fa45814cfa/
Parent samples :
5dad68a8228450333b6202358c2fc50fe5ec7527c51e391c13354ab7ce27e667
34f40290d4ccf49383fc7870f5f2637171effa41f7770ae5bb9cc0f48f61a6d6
21d5983266ef2badb1e1557ff238a60f411780f4098907674212ee2d2df95e70
01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba
SH256 hash:
29f895d4dab51b00140486fb3c199cf8e953319625eca0dfb6cc6ecf6c0f0119
MD5 hash:
f7f8bc80d366187c7ca98884b4e65786
SHA1 hash:
1f2caec488bc8324ec72b85d702985d00bd0e638
Link:
https://www.unpac.me/results/da3f3148-fde7-4060-aa6d-03fa45814cfa/
SH256 hash:
3fcf69340e98ab510076f062d34915dab3cb1ea1833331711b8df299f70041d4
MD5 hash:
c2b8f29f7dae1dd5f18096ba8b10ccf7
SHA1 hash:
c80adeb9635c3bf08ef762125fb22a7ee42bb728
Link:
https://www.unpac.me/results/da3f3148-fde7-4060-aa6d-03fa45814cfa/
SH256 hash:
67fc1edd2adc49516b9a0d25e49fc53a2c2ec97b53d13c60eeda76a219244366
MD5 hash:
20a34c1d79cf4ab33c502ab1117f0125
SHA1 hash:
6f5e7a94f2136dbbae295e57f577e017cf0137c1
Link:
https://www.unpac.me/results/da3f3148-fde7-4060-aa6d-03fa45814cfa/
SH256 hash:
01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba
MD5 hash:
e5979067cd620d401638a07e4230dfed
SHA1 hash:
2364a4fcdef333060671a31476eb9aa55ed87a91
Link:
https://www.unpac.me/results/da3f3148-fde7-4060-aa6d-03fa45814cfa/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 01c790bf626eab9151a29400e7bf5ec1f2f24154ba7bdf605428cd880857caba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2745347/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745355/
  
URLhaus
https://urlhaus.abuse.ch/url/2739335/
  
URLhaus
https://urlhaus.abuse.ch/url/2745337/
  
URLhaus
https://urlhaus.abuse.ch/url/2741203/
  
URLhaus
https://urlhaus.abuse.ch/url/2741239/
  
URLhaus
https://urlhaus.abuse.ch/url/2741228/
  
URLhaus
https://urlhaus.abuse.ch/url/2745357/
  
URLhaus
https://urlhaus.abuse.ch/url/2739287/
  
URLhaus
https://urlhaus.abuse.ch/url/2745371/
  
URLhaus
https://urlhaus.abuse.ch/url/2741242/
  
URLhaus
https://urlhaus.abuse.ch/url/2745339/
  
URLhaus
https://urlhaus.abuse.ch/url/2745369/
  
URLhaus
https://urlhaus.abuse.ch/url/2741234/
  
URLhaus
https://urlhaus.abuse.ch/url/2741209/
  
URLhaus
https://urlhaus.abuse.ch/url/2741250/
  
URLhaus
https://urlhaus.abuse.ch/url/2745328/
  
URLhaus
https://urlhaus.abuse.ch/url/2741221/

Comments