MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments 1

SHA256 hash:	21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad
SHA3-384 hash:	3cc4e9a8cedec5d34d9c499d83447f1ed52df7eae609db73ec28f65ae85496323d8852176ae0e8b13dc02679001c3523
SHA1 hash:	7ddc1709beb281877e0fd667eabee513df883481
MD5 hash:	0e101e27ebb2fa0040f330ac928d2ba8
humanhash:	robert-illinois-don-angel
File name:	0e101e27ebb2fa0040f330ac928d2ba8
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	7'428'190 bytes
First seen:	2023-12-15 16:42:19 UTC
Last seen:	2023-12-15 18:21:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'456 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:+PJ0MO97Xp3xrRIV1qnO9So3O436dEHtvR6Q64hn8f59zj:AUlzySwSo3OUsx19zj
Threatray	4'337 similar samples on MalwareBazaar
TLSH	T1B776338298904DBAE525A7F93F10F0F208677CC620AAC096395E74497F36DA9C31DF5E
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	fc66d8c8ead8b0b4 (212 x Socks5Systemz)
Reporter	zbetcheckin
Tags:	32 exe Socks5Systemz

Intelligence

File Origin

# of uploads :

# of downloads :

257

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/467599/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.13998.20902.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching a process

Modifying a system file

Sending a custom TCP request

Creating a file

Creating a service

Launching the process to interact with network services

Enabling autorun for a service

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

89%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/657c821cf4b6e5e1634aed92/reports/ab32023a-f0ac-47b0-a66e-1160ae9205cd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6ce6a45e-ba44-46fb-b560-5965d613f6b8

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-15 16:43:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

6 of 36 (16.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=egcba2ghbhuuaqshrfr42oltbjm66wrzcxuntria3fsm573wkkwq._file

Verdict:

malicious

Socks5Systemz

0790b8f5159907624373bca1ffee0e9be36fad41ae22daa9cc729888e3d6b7e4

Socks5Systemz

0ca2d5a9b84f47037aaab114d83f76f4e564fe6d777094a7e9ced785e8b42bf5

Socks5Systemz

3ee5c5a8fb884667eeca6c3299baa93f35852fdc27cec2a30e16a94345383e7f

Socks5Systemz

56a1e77ff0166ab00620fa231dcfd56395bf6701efd047c957647c5ac01d85a7

Socks5Systemz

65c9b058f3fdb7219dadac3da35429b19a484d5c7da16e0ed7a83c8690f8ac13

Socks5Systemz

8cd7d9d47ba8102ac9270964c9ab8f8dc1ef213bd768ffe873f17562b9d96a09

Socks5Systemz

9dff31b54f61cde3f68092bbb012a021db36dc07d5437f22bb20024d09b359c4

Socks5Systemz

d9bc37179d23c44f9f3fdfb2ae0f8409856153765061e73d1926138d2a47c4d2

Socks5Systemz

fff07b250a7512040a95c3ddb427b32d269bd4f7a2bece2ed878c2652a2b84a1

Socks5Systemz

+ 4'327 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231215-t79aesgbfq/

Behaviour

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

d1286da2332f03018f97ce332f9b3ea0963088e2ec105e6f2ba3acaea00560d4

MD5 hash:

5e46d295989c1e038ce5202a45a591b4

SHA1 hash:

46ea548a01d0e35d655a9cbcc90671fe3b5bf06c

Link:

https://www.unpac.me/results/18b187ea-fb92-4959-b804-46d235a7b588/

SH256 hash:

cd9adefaa35a3034662e86df2be1c36b329bc244f94c3159539acafd6553b0f2

MD5 hash:

c8e8e96fdd5193502d3c1446929036e3

SHA1 hash:

41087fdd7b91ada19000ce49bf83a63b65d3deb1

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/18b187ea-fb92-4959-b804-46d235a7b588/

Parent samples :

8cd7d9d47ba8102ac9270964c9ab8f8dc1ef213bd768ffe873f17562b9d96a09
21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad
be7c8595cd546418bba8e844ba2f52a84381dac962b3bd14361ced4eac6350fb
b031e427d9507815be0a6c0fb88a8812eb55272a77b5bfc52e34ece8736f748a
d8c23b426a74a6ad69665008bab562c0cf5069ebe459e16e30337f62e0108dad
60ba56182333d22369253a00e1727b13428204bf2bbfddb6886d7de14b127a0a
3937ead41fd807749c505cbf5ed6e0d50332fadebe8c738a577b00753e2c58b8
ab0b4f68598f08654f3557b358885d871eac40f980a5a5cfafd96bc0ac6de710
6126cec232b338fe92c5dc56f15f735bd750aa7669563c2e7f11cc962e4c501f
44fe362fc7097bf09caa35e8994ce0c4a91b1cc5c9e21c88436501e0dabcdf18
b11de30bf78d392a2a80e04628c08041452c0b5784394f0da4b43311d627e93f
0aaae938dbf33ebcf266df1ac8732813d346b82a39cdc83cf2dbe552803f86df
95e0b83409c2f4d7dd5da83bb1bdd65efc6e34d28b97773f14d7ca3822dced97
bd6f268e9e8f8d1cd3d33b08e5d4862a7b255ad023458c540ecfafa5d1ed8eea
866ec6c3b836357b347dc1a321140ab13ce731e61f396567f8956459781eeee0
cef0dde6c3601f7749fe5dfaf5735585fadd8c8a1958cea9091729a8c8fe9b36
154c4ec8406b92370b54f82496aa810af9f610fcd921bdb6a9dbc3192ae59c2a
a36ea9b99485c6bebc0f03fda024ece9199fc78d925124a87880269097b06bc1
d43ffbe733ec648bc3c9d4a466991d7a918d6a6ac3fe8b2e37ff66d2e4ce3981
3eceb0e5cb6d6e6a117298ccc10974d372eda885ffae9f8fc5539228d5e14766
75ce81e220a88057c4ce1eea3785dfd3e4b13faca319cf8ecb5a0afc8a86ee83
224bc6c33dcd68acb507793a6be8127b6ebb136969dce57a20cfe5348ba886ca
ebdcd8bb5d2463edd5bff47dfd842991e6f3ce96566a8c7b38bc2125d2043f59
d6f19704c133c17b682eb6982a4424c5aa729b4ee31f948b685dd6bcfc723caa
c607450c06c5860f7752a3c362791cae38f63b5f29d5ac4e7af05388dc8b0f52
e730705b1cbc94bb440445b63ed4a65729ee368fd2d53ca99ae5a1dccecaea12
2c6bbfd2ff344195dd47497f5775ed204d8a8a4590d658dac3ef3c41a9549fd0
2baec8b80e2a91562af38517240f5b97b35b2a97f2095cb66d7b8ddf0e918866
96cb6c98160cc60e55c3a64b4771ad5722189e4e7ed232a181c2b0b59e7714b4
18e96681f6c62925a2dc63cfe4a83dcd2c67126df12e222f14eab5a083fa5a5d
cabbee07b2ba837482d0674d15fe88809271511aa5782d8a458e958ee59e5863
045b1b8faa65cce267fdbc88b1e7ef8a48c2c09fa6a1f6d3992d23e37a7f3e70
15e0db7a88f0878f35c2b99a976ca337eccdf5f239a53a73d24c318ab7ebbb07
76bb2c85953cd4eb60f8bcf05d92a8235bd79982258608f0f173bf0cb2af49cd
e889afcc0429b2814282eecde77b42a12684085ca4fee29d39ae4aac9a66fa67
7307047350a12c3bee3987b4da33bbf73bda57bbd0c3fa6c170bdfe06c8d07c9
5ef4ee8c3636f4739250714babb2bc165f0d71c6527a584f4bfe58d86279253c
123c3632afae8b7946dc9be5dba43169a19f1f6e0b66db78bb4aad047064384f
033100ad9863bd17ca8606c22dfb0abdfe616d94711801e6fddb764af7cec327
990639f84723b8018e8b22c676366ff4035f35803ad56ef152582ea549116dd1

SH256 hash:

0fa03470db8b84357a21107987200a80e383709f3a1ed65d74fbbb26ea651bde

MD5 hash:

8963a8976920768402324bd4401edc98

SHA1 hash:

b4e3a5ef872ae826e8637230b9c3fbd7653f31be

Link:

https://www.unpac.me/results/18b187ea-fb92-4959-b804-46d235a7b588/

SH256 hash:

21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad

MD5 hash:

0e101e27ebb2fa0040f330ac928d2ba8

SHA1 hash:

7ddc1709beb281877e0fd667eabee513df883481

Link:

https://www.unpac.me/results/18b187ea-fb92-4959-b804-46d235a7b588/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe 21841068c709e94042478963cd39730a59ef5a3915e8d9c500d964ceff7652ad

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/467599/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2023-12-15 16:42:20 UTC

url : hxxp://hitsturbo.com/order/tuc5.exe

MalwareBazaar Database

Database Entry

Intelligence

File Origin

Vendor Threat Intelligence

Result

Behaviour

Result

Details

Result

Signature

Behaviour

Result

Behaviour

Unpacked files

File information

Comments

Login required