MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
SHA3-384 hash: 40856df88c2806be9e67bf659a76466236c19b4e0eb456ab9d99c84ac540e85339b8725c8ed8030c94dc38d020106d31
SHA1 hash: 492503ac894a9e9e78211cced39ed0b0052ad737
MD5 hash: 02c9d37b3eebbc186b6fc262cd929762
humanhash: single-william-green-lion
File name:02c9d37b3eebbc186b6fc262cd929762.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:2'043'647 bytes
First seen:2024-03-23 09:20:18 UTC
Last seen:2024-07-25 01:09:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 24576:320yWIKtk8hG3DLgGM+OGOBTYQ5BBdCHIMy9J9JnHYNOZZ6sN0zQeCpeJdU0y8vu:32etDGFM+2f7LDRkOZ/MCASu98
Threatray 20 similar samples on MalwareBazaar
TLSH T1A4953313E3E2D87AF0A0FDB16C23AA105963FF9D187511853A2D594D6F638D4E28CB93
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
45.142.214.240:80

Intelligence

File Origin
# of uploads :
3
# of downloads :
361
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d.exe
Verdict:
Malicious activity
Analysis date:
2024-03-23 09:21:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ddf26fb0-c5fc-47ac-a634-3a1e3916d971

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fe9f007090716b20190cc3/reports/db7aae65-66db-4828-8f8c-30b7f7e4d846/overview
Verdict:
Suspicious
Labled as:
HEUR/AGEN.1372994
Link:
https://www.hybrid-analysis.com/sample/13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/24e603cf-ae3d-4e11-b169-0a1afdeb33c1
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414425
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
13%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-03-23 09:21:07 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
12 of 24 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmcu2loyn2ozw6jauals5g2a5ycat5hccqjkzz6ocylahffw5b6q._file
Verdict:
malicious
Similar samples:
5a78266d2c6a7597e5e85538a6fb9c8e2e019db2d25818d36c0ff7a9b53a43bc
Socks5Systemz
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
Socks5Systemz
e8b1799f8065a7438b8bf111c22f20fbd6f1fdc02db8be75fceb43e76c497036
Socks5Systemz
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
Socks5Systemz
+ 10 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240323-lbbqaahf6y/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://ddpiiad.info/search/?q=67e28dd83f0fa47b1407ab4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978a271ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668ff714c7ec9d
http://ddpiiad.info/search/?q=67e28dd83f0fa47b1407ab4e7c27d78406abdd88be4b12eab517aa5c96bd86ef9d804a885a8bbc896c58e713bc90c91136b5281fc235a925ed3e01d6bd974a95129070b611e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c1ee9d9f3cce67
http://bxdbita.com/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe10c8ea929933
http://bxdbita.com/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12eab517aa5c96bd86ee96854f855a8bbc896c58e713bc90c91936b5281fc235a925ed3e01d6bd974a95129070b611e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee949b33c868951e
Unpacked files
SH256 hash:
e9cfe16569a5471d2df0bd0aa23917f418750393d5a2872aeaf79bd13743efeb
MD5 hash:
1646bb8a9b51402b1cdf57449898f9aa
SHA1 hash:
a45396e3e6906b916c5f2d27507ef3f5a71cb21c
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
86c58abc8028060760323a6ba9b04857e43eb0179f385ed4be49b9fe4b226f01
MD5 hash:
363bb078f3d6470aa393f35104e42bf5
SHA1 hash:
44c24707a6698b54127525f29d8b2bf7b0686418
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
Parent samples :
5a78266d2c6a7597e5e85538a6fb9c8e2e019db2d25818d36c0ff7a9b53a43bc
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
2464d67372e48f904f6061bad144f67b49c1918870d0343eb9b94479e10d1ef8
e8b1799f8065a7438b8bf111c22f20fbd6f1fdc02db8be75fceb43e76c497036
52d872fa305b5712fa9b1e25e7d9a514f711e7b1b81ab97fed157af41306201d
41105bfdb5af989cd5d636fcb77ef49f97d25d525aa2bdc35d95e1b0a46e8b60
8c06eb60b0a4cb9ed906a3a8648b7096e5a024f0d3335910c674dff1dd6ba2d9
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
54a7785ee23bf5aabf61e909cd849e0b1649dccb6edca691fba411e7f36774a4
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
45d3e2a90ffe10319fe19d04af1fbe783101c3be4841710e506ac84d0e882d07
2b6d8240ec9d04c86a70334f9d04d47188a8962d7cccfe1553ba6e9e77040518
25d5acd334f0d498f7cfef39cfb04259b6f1c0bc066b39bb4f1da85a4a4388c3
69361a92cd9421f08dcc2ca90ebe17e4ec2a261491d0fd2d22c801a764d2b58c
6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c
e3afcc20063477edea06d401bc38833b8df4b3d17e44587ae2e0824a86fe60be
bb618cb84a1343d5f90e5cf6073dd9b151d902433e7198ed54748b6b7efcf503
a8757a8ee40ba6cb4339d00a2e92c6783779fa6363ec433b28e10612fe8fc14a
836667ded6e8f83458c66a5075847c9f041e3f40c25de5040a27233d99a69a25
53ea16c0c1a0feae0e1a6e50f2f180496660c0955a6763fb5429ff7204223122
5e00b8843a33d3dd8cc77eaaa1b4a8350182d639a8ce83575946b3786b356dfb
d3eed14b62ecea9cde96248df1c2d216c004c62c6e80287da6bd0b7d09952e09
cb8f045facd1167c5f65844bfc78f3facf57ed4c82cb9aaea9342d2666feba2f
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89
9f03088fe6d06a375fcfeefb08d11cedf5b8865ddd29ec5e593309555c55d0e8
8043a47e47ea42b33eed0ae655867be63019613790a1c190c9914f80f3d7cfa1
1da9d783b64f9f770751e2f828ac9a1fa065ddd02fc801cc7e6526caa7f0b99a
33bcf3678845e17212de90f21b0cc8f8aaa237849ba1ad908b6783d7b6dd7857
8f5985b7574b66aea72acda2413599036634d1dd0586ff4135f03c0fe7d9bdec
deecc4ccd39de5b02eded282e5759890d9346ab1dc801f8cc7e9d317e06d27d3
7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2
628151552bded4ac5af3103d00cb0f47737a9f6b6e4276f711de9cb26864e9ce
SH256 hash:
e3dce4d0babce92e753154d23fe13f440f86f3cacfb71f9f10a81ad1b6a6a84c
MD5 hash:
c9b058cf12bf69313ed0a59ca0f666e9
SHA1 hash:
198857f87d6b839e1413cca6c7fc8f1ad6b90048
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
e74db36b73c1beaba6c6773423957226a9504ae08a6dcaef044f81611b181662
MD5 hash:
18baea4b9f01a13eac075f5c419e6fee
SHA1 hash:
a9e7e523b6b5742c14b5a6ff6604d7a4f900a0bf
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
a85836c8a63cb546e5c3dedd865725b62fdabf943e2a696b5d0b1052ae20f6a3
MD5 hash:
dd6211e93847aae38ebae3f4d624e3b1
SHA1 hash:
04a919056efa446116c0f9c8ba7034f22c7ac8aa
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
SH256 hash:
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
MD5 hash:
02c9d37b3eebbc186b6fc262cd929762
SHA1 hash:
492503ac894a9e9e78211cced39ed0b0052ad737
Link:
https://www.unpac.me/results/1c81ae97-93ad-44e1-98ae-7762aecaa329/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.93
Link:
https://yomi.yoroi.company/submissions/13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2787069/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments