MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849
SHA3-384 hash: 3bcbca70cde702c1bb3db0d9a60843dc70d275248181954b84668147fd9db3d5fad7be049ace96d378be8d94e1f52141
SHA1 hash: 5d8f0435ebe5bddbae45829818c22ad5af712776
MD5 hash: 8e77d835ff082165c2de8e94c131587e
humanhash: cola-bacon-fifteen-comet
File name:SecuriteInfo.com.Trojan-Dropper.Win32.Agent.9252.18757
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'793'439 bytes
First seen:2023-12-31 13:22:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:QkBlcXZwQcHIQVF+/x24ujgWD4W8m0d/mwpnh1Qy8c1YDatp4dm8:3EZ7c7+/Vre4nm2hT8UYGtp4dD
Threatray 70 similar samples on MalwareBazaar
TLSH T18B2633DA2E1A46B8C4F1973499BF6F183A7247049CF0899CAA5DDC0CCF66045E71937B
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2023-12-31 10:58:41 UTC
Tags:
hausbomber loader opendir autoit evasion phorpiex trojan redline parallax remote stealer kelihos stealc dupzom arechclient2 backdoor agenttesla amadey lumma dcrat socks5systemz proxy servstart
Link:
https://app.any.run/tasks/2758b046-f921-41d1-9ddb-6554ec222849

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Dropper.Win32.Agent.9252.18757.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Modifying a system file
Creating a file
Creating a service
Launching a process
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65916b3d439457868c0a43e8/reports/7c39ff64-6cad-4a25-bf69-fee1087a40f4/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Argotronic GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/238b4209-abb9-47a5-8368-662855909fe8
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368382
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
19%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7oeyjuyxmt3kerxbeyuoavn4w5detnoada3ixoll5jbqefebbeq._file
Verdict:
malicious
Similar samples:
10f9cc26e26e53771700e9b3e241bb303b4d07d0337dc72bbc0d8b3646af39b0
Socks5Systemz
67926c17aede849c4eaaf09eb88631c6dea6f9303a275ef3ad8d1c59f7b0f322
Socks5Systemz
7a8854c8c29c00d77650a35a11b77cb471b04032bf22b02ab4dfdaba375e1544
Socks5Systemz
811341ecc410990e471254f7fb3cb7ee35ee2e973d27962348625812533e35eb
Socks5Systemz
83eaf65e818f6596f8f3877812110afbc87719322590f589c1d459e057e469c8
Socks5Systemz
9c6485edb10d0150212a8fe11b97a472f86e881acc8249c7a686f14f3aa82b36
Socks5Systemz
b76c38f9b0503db183a96f06cdf97c1297752c91f7a0f62e60285b39e6c07e9c
Socks5Systemz
cd7f3e7bc9f55c0018b0db329c5fdaf13e2e295cf10eee13c8b580f47e871e1c
Socks5Systemz
f3827e0ae5a632a660d26a0551352b8e8332ae8097cfa76fcde8db7eaf7063fb
Socks5Systemz
+ 60 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231231-qmsv6adbe7/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
767ce02dfc52bc478b9442e4e46396e6e97f21de1a30456a126ca7e56399f158
MD5 hash:
fd57bccfc39411ba5f7e599ba94cc996
SHA1 hash:
f95babe6c42eb277fd2ba4a9985d27aa386fccff
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
Parent samples :
10f9cc26e26e53771700e9b3e241bb303b4d07d0337dc72bbc0d8b3646af39b0
2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849
dab7b9c704c4834fa6f123f4acff79dc70cb6e6c505430c5e6751b4923d7c7ea
cff57eb324f603b69429380de8cb79ae9e56526f0bcb369fe727b733079f08bd
SH256 hash:
7867e68ccdf39fe49214e36027fe1e05d6008cb96b347fa6d7830791f0e4e05f
MD5 hash:
7c072e9b89dd846377dcb16cbc446019
SHA1 hash:
5c7bfee0e3e4c14482e734f3b2bb71148cd722ee
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
SH256 hash:
77c9c65113999e8111d36dce49651dec97b24deea62af51fd0289853494242eb
MD5 hash:
23d8a37431bb3cce837bce4d4d5a792e
SHA1 hash:
9bb53a335bf21c35b9ec4f770af19e70df026296
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
SH256 hash:
fc0e0be9e8a8fc0a80901acb250f437ef8265ed44f21d094a7e7b4cf4c9d2eb5
MD5 hash:
da4cc68c7a6844cc60fffa3da8ad861d
SHA1 hash:
4c1783ad4b55893ac783f06684702c0648e7b495
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
SH256 hash:
50a5b5794265e58ffe045f32f9941d3c494e5895746f4c16e4ee258a1c1636b1
MD5 hash:
ca54d42870def4a20c0caa914be8fadd
SHA1 hash:
3fb28856ddc1115e91b7bed86902c57327d73a15
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
SH256 hash:
2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849
MD5 hash:
8e77d835ff082165c2de8e94c131587e
SHA1 hash:
5d8f0435ebe5bddbae45829818c22ad5af712776
Link:
https://www.unpac.me/results/40370b9e-c3b6-4ba8-8784-ed59ef6d5948/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 2fdc4c2698bb27b5123709314702ade5ba324dae00c1b45dcb5f521810a40849

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2741251/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745368/
  
URLhaus
https://urlhaus.abuse.ch/url/2745331/
  
URLhaus
https://urlhaus.abuse.ch/url/2739285/
  
URLhaus
https://urlhaus.abuse.ch/url/2745374/
  
URLhaus
https://urlhaus.abuse.ch/url/2745338/
  
URLhaus
https://urlhaus.abuse.ch/url/2741248/
  
URLhaus
https://urlhaus.abuse.ch/url/2745358/
  
URLhaus
https://urlhaus.abuse.ch/url/2741223/
  
URLhaus
https://urlhaus.abuse.ch/url/2741232/
  
URLhaus
https://urlhaus.abuse.ch/url/2745351/
  
URLhaus
https://urlhaus.abuse.ch/url/2739327/
  
URLhaus
https://urlhaus.abuse.ch/url/2741246/
  
URLhaus
https://urlhaus.abuse.ch/url/2745346/
  
URLhaus
https://urlhaus.abuse.ch/url/2741227/
  
URLhaus
https://urlhaus.abuse.ch/url/2745327/

Comments