MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
SHA3-384 hash: b31a0fd6b94b85a46c3906ba77957a28ecfa663ae22d66118d69d0204e823c275157baf24cf0a0ebd037ae46f7616967
SHA1 hash: e69b87e5e8238ba0ab8ef38a673be140035bca60
MD5 hash: 6c8e093a8b3f7f24771ec1d0a6774535
humanhash: dakota-beer-twenty-beryllium
File name:6c8e093a8b3f7f24771ec1d0a6774535.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'462'854 bytes
First seen:2024-04-06 07:45:14 UTC
Last seen:2024-04-06 08:19:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'454 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:CFJPnAagSLb6oNcxqqfjAocJ0twvf6csnQxZO:oBzgYvPsjAocJ0fQzO
Threatray 50 similar samples on MalwareBazaar
TLSH T1FE263392B100B1F2C7B14576D9FDC288C7302B2B5979BE2C5EBE845D1EA1EDB404961E
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
89.105.201.240:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73.exe
Verdict:
Malicious activity
Analysis date:
2024-04-06 07:47:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3a937d0-8adc-49fd-b150-342cd00d5963

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6610fdbdec04992a87dcbe77/reports/207e8bd2-d9b9-4a03-a388-f42637da79f0/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9441abd-7564-47a0-a500-b4ef90f7f702
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421269
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
17%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=c6kqspyplnjzyfvezvrlstmjoom66kagw44k7g2vrpkeamlhpjzq._file
Verdict:
malicious
Similar samples:
224d54592663f9d211560fb295f3d21bb1297476a8d8df637a57a3abf7202e41
Socks5Systemz
59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455
Socks5Systemz
60185ad4f1d262dca113cdfcc63ff8eeeb576782adbe31d9aa4b10dc73c34109
Socks5Systemz
c93e81abbf5a6cf82a908f3842bbd6a6df6e88457b3ac23702ff76f2c8fdb6b4
Socks5Systemz
+ 40 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240406-jlyxfsee33/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://bhbafdn.com/search/?q=67e28dd86554fa2a495aa4197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a071ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a658df718c6ec95
http://ejiulfs.ua/search/?q=67e28dd86c0ea7794406f94d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f671ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffd12c8e6939833
http://ejiulfs.ua/search/?q=67e28dd86c0ea7794406f94d7c27d78406abdd88be4b12eab517aa5c96bd86e994844d885a8bbc896c58e713bc90c91136b5281fc235a925ed3e55d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee979933c469941e
Unpacked files
SH256 hash:
191e3c52a1b78fb2c7e253eef9e6d8b1dfb922ffcd1828e87ee913e535cbc4a0
MD5 hash:
e0a1cc0deee574464f055a1d24f14e6b
SHA1 hash:
57148c696e7ed47b039de177d53d448f6e12f1c8
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
1f74cdf838957e8ec129ec02e24ff27653cbd1cd8a25504b13f702d7566783b4
MD5 hash:
d209a803c582c9f385684dcb0175ed40
SHA1 hash:
6849a104fab39013ace9a72878f0277f763a0589
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
Parent samples :
59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455
1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
e3a7940c60cc444eac152bf73714078aebc1c9e322f30a1dc83e3eb5d1c8be62
1cddcd51376a9afb24b5268c5a044b4dc245c094a086f2f332d5f35fde0b8ad0
934e794859a6e1d30d021f1af7b3a8b6ea99056bfc5e2cc1e9146b39bd07cabb
2eca091b98c0447ab906e07f9adaf0d7128825eb7381dea650a96413368cce98
3613cb0eaec9761e602b1c999de699c7316e110007295d4315b6911e950dba00
e81e7a88e53b0ee2d33b08bb31d0e4bc585f7322db6b9c9fc1fba83c5ae78b67
40a496eff69229cc23235b48513027be6b72424a7854f60899159de8e1a10667
57b0b2089bf7585d33311e40063481b8b0d8335560728453d9b0a4188bec6c20
d245ae1b7923630a25efbe794b4f6837adc54e3024b0c87ec8355c5fa7b51b9a
9120779debb8075ef30203285994dc46d3817769143d6f08b6cb1a89e234f3b9
948208f0e638786eb4ed0ee8cb9d062c0660e3482ddfa2bd276a869ddc3790f4
5ecd28f38e084ae35062a7ae46667ddd3d832243052b519f15cc04a85eac0f54
ab94752379e919059443d74e11f2adc2b0186bfbdf76210ffc0accd1a9c0b3dc
1655119040883feb256b1645581f9d7884a7c8e157d15fd7ccbc923d7e8a7778
18b8f970579c742ca263e8456fa22c8260d5512f69d593c3a7d84be80705ec08
075681f085776e64df7244b06045f44ba8ce90b5286012f4841eaf6b54b869db
9af60bcb43b67b54533b5ce9cd6853d97b1ef6d9f068541347023204323b1ee2
098a35dc7ec119ef4f9ee52734366b96942a5f594dd343a7763b63e188ef2590
e18d2e1a39b828e4c5783c6dc047da9271b36c171aec5171683ecf76c11b5a30
3bd90509166273180784df5a70804800285512f2de430bf16a6af0057ab26ff4
360ec2e6da27bea93778b93c93d9109f70d298544144e0dd19990db609c892ea
0e17ca40c6abf33153ab43e203fd8a50686128e55f0254e907f3e81864eaf118
6d57b846d065ebc93870f6a751b23f6ea1587c209187a542e0e0bb93beb3c77e
e1e932c3d4e0c5f7384a6e6d54eb3f911d4ac0c5371a06b587d45167b7d139cb
dd882143f9c146b917ded748edb3931c07fe03169735a6eb2473eaa643c1313b
280705276e5ab2ee6c95796e53f3336b90ec767f629531cf47dc04a545ff23ed
bc654338c06d1306797230d0501e1aa5995811576520e531daa651df1b5f3f84
f0c1b22af6ef866294aae9904aa1df3a63670910569941635ab4004d3b535448
3d6e7d86793a6812d02f9d32f59d44aa7a021568615ab25e8e3e5a6aa8b7545f
8df03e2d76dc2e82c4c02ff262caebe1049cbd692653efa5a12030bdeb834122
d67b47728a2140fd2d357128e6189d73f49e5566c58e4db0e2b0135b201fbd2e
20ab8e03414da5013554129a9ec42c692a498afa50daafec065c3ab995872bee
b409d205ae446b7ff2507e7ff4b5b4c9b63d76df8cbcda30407ee4d3d2bc7ff7
e688145845bb436a44a36a95a869e0cce86e71e234e7e4b7173bef1ea5f05ae2
ccc380c9278ae9b402d552a83c50555278dcc03b0371182785418cb0209984ec
a2fc29e11de24fb1347554e03aa1dbc0a4676e3ae8802afa0ae76c5094fe626b
9cd5ba5615b5540fc191f0bfc5ca8d08520d518e1c1dba4f6bac361ed0d0ad6e
7b9cb016fc6b64347160a352dae8e2c1b501f46d651fa8ba510911cc283e2d14
dddf2b2a8c33711b013388be3e01b132738e15919b2396ad632592047eb677a5
c8d346a0d9dcdcb921a659ac9338e9aeff89e9b9e5513bc61a0d358a41a3d7a2
fd186c526a1db0687e167ad92714309ba2f622661facd64c2ea2b988204401b7
4c08f8d77f5f5c84d67fdf0a51122aee3d46d8e78e988247d1afba570d6dd635
8d33c4fde4a3e19fb5a339193836d3a538c3ee709ca7efba6fe491a64680ee18
4094d87ec10dc1c930f041f1b6541fa2972f07fa3026ab6c689bb721d6440160
6e06d87060a7873a05fa95443f075fe05e49c8ab8189a570033a7dd5bc5acc0b
3ddc9073f90b9afc0ca6f2cceaa102bb44f89e421f2b1a03ce8104e6b7108209
2eda060aecf449871d3727f48dc3decbbc51574cfabf11dda96858c11b47a28d
af8a8538d5a6b64cb54599e62a91919ebd8043102e768a55c9a66fa29849018c
939e3446fb4cdcb4ff509634f401167a18275851bf7fdfc7d33de7b4f2077c7e
e5b2dbeb9458d7b686e9feaa81b8de24c348af81313dae5f50fd98a31defc44e
eb172af483fb9d1e49d9248c596b3c9509a5242b3ab97e8f5c1c1b6eea7db6e3
d69639d8748700e69c1b27f3a78d28ae093da8631a80691e2d91615a57c5e3f9
a6f1f5bd70df52b1c12b29d133d94a892b4b654aeb57c25b958e0eec2a698626
5471afb5e524e60de857ea9636cd2197d5d936ad62697a5245d6371a84cc46c4
a42fb35663dabe8ff2959cc8be2082a288681b3ac8ef2c772c1e7b356dcf432a
9c21afd731160bde19d988b015287e37c11337578767bd4f0bedc4359c7dba77
276b94ddf860ae055c5bc445f7c99e714229cf2cb5ceded9fe2b41849e72064e
6b251b357a4ff2ff8fc367c082918f11872bcfc6ba6b69059c0d876de53337a7
208f0af12ef5b3bc47e552804e7cf255b56044b025c88ffc2f6bba4cd3576362
2b1e80f669c3006adf86cd9314a06c46c5ce71ee8bb56d343a1a6a3b26250c64
4c02dfabc290e94364fca573f0e2a9631eb5042e4f6881d2b9b0784f0e7235da
fb2bcf07adb62ba76d441eae8ea5adbbc37dc4d5dea66e5fd1ab85c06fbf3efc
7e847076f8560068061420c672135ddcc99341b0ce5d80b5c98f234269d55b3a
d9550d4c11681861c7596334d1c63398826b790751aede4f68edb3f605f627a6
8fc201090d34fb3d4a9d1dcddee20c0acbd0c389051d7e5d5a0636c77868e72c
016bafa425a7059d11b7fe26ab27ee2a67856ce0ca69942822d67477c51370d9
cb8ad948a9808706d763691a202b5ffe8cb2a3d4188b0782a0605fb85956a0d6
388db14e9fdbe65fadf429c08b9cb8d32e806105736a16f97a79b912f13857a6
9c0151a17e929d6de857367cb47fcd146713b5a73a54a7469a8d3ca5cc7bf3d2
ed707049234c4794563e0232662dfa73978a532cdaf08beb3b6fc0db0e1b2b08
3451be7dc55538d44ff27d0fd349df6fa954bcb1b235da5e4df60f80d825491f
8c1b19d81a6f571641a9dcc1ac6b88302d1d06f1e1c417b4d01e618c58c80135
7b618b6ec494159dedf18de3074fe60a8571bd69f714a457ea3e10637f61d0aa
9c8271340f2dacad0ee15a97d9db831eab0928bca99b17d2733f2ae82d41fa30
e79c8fe1cf16c2d54a6f5115fc89113befba1a26f827a5ce05e56e8512bc85af
f4969695d2254e3942c65ea612d8081c9e03721c7df77c42dc83994119581e8a
a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4
SH256 hash:
9c2b84f2f98c789f020ba74373a96871abdff43df95e242641e157891bc49044
MD5 hash:
89f06335dab4ec378a7dc3a3af9aa86f
SHA1 hash:
6d9413e31356b401c033a5d9e2f99d2b5f0b776a
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
eb23d2eb45e2d47d3eaffe6b0c843bbd481475532b334b337bd39f009d5b5b29
MD5 hash:
05c134fd4428b46b265001a793c678e4
SHA1 hash:
9b373e381b5249b50938b621cc68d2ac574db6f3
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
25936ab6578a44ce9c2fc54ffa253b53a76c14a14943d055189c0e2b292acac8
MD5 hash:
9444e17254a82e805c735feb8b532f61
SHA1 hash:
9365bc35aa3c6377b1eec0221fcc4ba0dc4587e0
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
d6230408e34d0f81f599167d65e34f873cabbb08a0bd197f7a94d9ec106bb895
MD5 hash:
17dfec96d5cffb58851034460c9d6d1d
SHA1 hash:
296f579cb6abcb30b36f0b97cd76b454c6a0c0cb
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
SH256 hash:
1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
MD5 hash:
6c8e093a8b3f7f24771ec1d0a6774535
SHA1 hash:
e69b87e5e8238ba0ab8ef38a673be140035bca60
Link:
https://www.unpac.me/results/edae983c-2bde-4abf-8528-7435b6299bc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Socks5 Systemz
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2801789/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2795657/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments