MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed
SHA3-384 hash: 4a230a2fa92f65705147cdc826d3ad13a408ff9255c163403318c08acc7bdc6160531580f3cd7b8c1ee84bd97546ab37
SHA1 hash: 80e34922310057c6a68e50b32469a8cd72f78088
MD5 hash: 44e8f53e3b360fb8cea3b67288f89b00
humanhash: snake-bulldog-pip-lactose
File name:crt.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'509'997 bytes
First seen:2024-08-18 20:07:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'456 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:N7YmYbgaGgqT5NxBpAbDML7/N+OG/DR3V3RAZc/IeTLd5w:5FY0aGR17wMN+TrR3deW7Lnw
Threatray 235 similar samples on MalwareBazaar
TLSH T1E9F5336BE1D08C31D1B71EB03FE7E07D6FE264255E357104321CA54AAE336D8A5AB34A
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter aachum
Tags:exe Socks5Systemz


Avatar
iamaachum
https://insta.willowsoaks.com/ssl/crt.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
359
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
crt.exe
Verdict:
No threats detected
Analysis date:
2024-08-18 20:10:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a179112c-2d9b-4ec6-a255-5f2769c3e586

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c254a5b35234d5cc6607df
Tags:
Encryption Generic Stealth Trojan
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66c254a755c081148cca54e4/reports/72e5bc82-ef4d-4317-9ba5-1e0c98da2e99/overview
Verdict:
Suspicious
Labled as:
HEUR/AGEN.1372994
Link:
https://www.hybrid-analysis.com/sample/2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c6ca848-01a6-47c6-8096-a55116087ff1
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1494607
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses known network protocols on non-standard ports
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1494607 Sample: crt.exe Startdate: 18/08/2024 Architecture: WINDOWS Score: 100 33 web.np.playstation.com 2->33 35 telemetry-web.api.playstation.com 2->35 37 8 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 6 other signatures 2->51 8 crt.exe 2 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\Local\Temp\...\crt.tmp, PE32 8->21 dropped 11 crt.tmp 18 24 8->11         started        process6 file7 23 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->23 dropped 25 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->25 dropped 27 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 11->27 dropped 29 10 other files (9 malicious) 11->29 dropped 14 harmonica32_64.exe 1 2 11->14         started        18 harmonica32_64.exe 1 17 11->18         started        process8 dnsIp9 31 C:\...\CE Photo Editor 8.18.66.exe, PE32 14->31 dropped 53 Detected unpacking (changes PE section rights) 14->53 55 Detected unpacking (overwrites its own PE header) 14->55 57 Machine Learning detection for dropped file 14->57 59 2 other signatures 14->59 39 bugmqtk.com 185.196.8.214, 49736, 49738, 49740 SIMPLECARRER2IT Switzerland 18->39 41 aem.playstation.com.ssl.d1.sc.omtrdc.net 63.140.62.27, 443, 49812, 49820 OMNITUREUS United States 18->41 43 3 other IPs or domains 18->43 file10 signatures11
Score:
72%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed/
Threat name:
Win32.Trojan.Sockssystemz
Create hunting rule
Status:
Suspicious
First seen:
2024-08-18 20:08:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5upujsed4tclhl5no7yrd656v3tg44zspz75h3hgugier3amlwq._file
Verdict:
malicious
Similar samples:
2c90d977b28730793bf9d6be7873b8d8ba7f55194737da0dd282e388740e9475
Socks5Systemz
35c1dd0c091271adcb8ebee5db2be736f14e48afdb05076191f6160cc020f614
Socks5Systemz
c131cb51cf9ad72483df8504488433a085302cdbb10d4d5e1d89bbdb748bb12a
Socks5Systemz
dc35f615ca7dbe0bf35a8af484ca62e85fa5466aaf259c9e6b3e54e53f674077
Socks5Systemz
e609e82d949e7d651a97dc59c7e3c9c32bc1e2ba51dc2c3cd474f75af40e69e0
Socks5Systemz
f84e463bc0f946899f3c54f0ce77817164f51d8af49798f159ddcc8ac82610a0
Socks5Systemz
+ 225 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240818-ywjb3s1hrb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4f710f7-a164-4c52-a64a-4e1eceb88b41
Unpacked files
SH256 hash:
a349bc17f1049bbac4956d63138c2b25e8dca2e124e10c97bc217d20e9002b93
MD5 hash:
7cf98a2dc00a8e3a2a8a0b52561eeb2e
SHA1 hash:
d5c95e68999f7238c2f5442718705ff1c13e6a96
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
Parent samples :
dc35f615ca7dbe0bf35a8af484ca62e85fa5466aaf259c9e6b3e54e53f674077
2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed
SH256 hash:
9b38f5a16b44a24648a192f1601bc4be274dce12c7025b71bb6d6ba9b7e80a67
MD5 hash:
f31b78b38959db2d863f5efe85883b27
SHA1 hash:
53d714a18fe0b260fa93c30a19760190b3620037
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
SH256 hash:
c1465b703aab1726f43fd56e2cdc9d93adb8bf1c8acfa75558d6c59f70165d41
MD5 hash:
10ede0975a4368bad647adf45722f2a0
SHA1 hash:
2d0da53e5c6241517630eeb66128dafd2959699b
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
SH256 hash:
2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed
MD5 hash:
44e8f53e3b360fb8cea3b67288f89b00
SHA1 hash:
80e34922310057c6a68e50b32469a8cd72f78088
Link:
https://www.unpac.me/results/9503a4b3-e93c-4432-83a8-cb91d1f5ac3d/
Malware family:
Socks5Systemz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2768fa26441f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 2768fa26441f26259d7d6bbf888fddf57733739993f3fe9f67350c82476062ed

(this sample)

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments