MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0
SHA3-384 hash:	96f540c2ebd2926afbffcedbb8ac060f58ff8cd7180cfa452dedea548971c27e8cb86e4b37d85547037394e41fdbd8f3
SHA1 hash:	8735a644fe9d3767d438e37a27e61813328c0fa8
MD5 hash:	ca67885debac01a9b7d0444cbec10525
humanhash:	west-oscar-undress-johnny
File name:	tuc5.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	7'865'822 bytes
First seen:	2023-12-11 18:22:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'458 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:gO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:F78pimNjMDzjl3dQAdVN1YyRPzj
Threatray	5'313 similar samples on MalwareBazaar
TLSH	T167863393AF74566CF6194BB01D234C461FFA2C6D4FB04815987EB43EADB604848CAB7E
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon	fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter	Xev
Tags:	exe Socks5Systemz

NIXLovesCooper

Downloaded from http://never.hitsturbo.com/order/tuc5.exe

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/465877/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching a process

Modifying a system file

Creating a file

Creating a service

Launching the process to interact with network services

Sending a custom TCP request

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6577538e8b5ba47db2de7502/reports/9ba0ca2f-cc1c-4b64-a2da-ddc4c30389aa/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1332570

Link:

https://www.hybrid-analysis.com/sample/2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b59fb221-558a-48b1-99f4-b356873afe7e

Result

Threat name:

Petite Virus, Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1358831

Behaviour

Behavior Graph:

n/a

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-11 18:23:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 23 (43.48%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f75ipj3vgjircy5ctocmbpjiepgxwrcv7vzqdtswauvggmyd6gya._file

Verdict:

malicious

Socks5Systemz

28054d4d5fe1ce44199d81b1e6e0a9a1ab154447a35a4f7f4c5bde4dcc775421

Socks5Systemz

393988c7d79685d835f0ee3a3e01b5108d20adb9800bab54669eeb41403e4633

Socks5Systemz

6ab1079fa2f594fae71db67f69426fe4ff0e00fde8bf902ec9bc98110a86d252

Socks5Systemz

7d08307acda4f898d41708dae05886685240ec15642b5fb0d56a17e9b356b30d

Socks5Systemz

8089541479536163d5b0dc86e73716583c87d40ad51939f771aa4671fd247ce6

Socks5Systemz

9caef1bfc3460fd2eabeb3039a2d27ea014c2536465e9fef705cd5c2c13f371e

Socks5Systemz

cbf8c70b949c13415e8814b2835d9fcd53f8b2210ca8b22bb2b107b4ca266ac2

Socks5Systemz

+ 5'303 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231211-w1f2eaebhl/

Behaviour

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

d1286da2332f03018f97ce332f9b3ea0963088e2ec105e6f2ba3acaea00560d4

MD5 hash:

5e46d295989c1e038ce5202a45a591b4

SHA1 hash:

46ea548a01d0e35d655a9cbcc90671fe3b5bf06c

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

SH256 hash:

333f4c4f3929b419a0fd6b15fb4954d700927608433f067005f3629622e70ae8

MD5 hash:

f7fb82cc47b10b4fd9d30e3858af394d

SHA1 hash:

43ab573a54a93e79a16fc6de0bf8670a4c9c16d5

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

SH256 hash:

7a22473a3418a536e3d7ad211b4e3dfa6e8400b240c9f85213add3c485f5b01e

MD5 hash:

3788894417f1e79f58e047c655abd449

SHA1 hash:

c4a96edc8d5a41368b463f9ab5d1ae75d5030ab8

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

SH256 hash:

25936ab6578a44ce9c2fc54ffa253b53a76c14a14943d055189c0e2b292acac8

MD5 hash:

9444e17254a82e805c735feb8b532f61

SHA1 hash:

9365bc35aa3c6377b1eec0221fcc4ba0dc4587e0

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

SH256 hash:

54426fec7e2ca9ebac4d02764f74dd3380ba0a346046753bca6b3990603b701d

MD5 hash:

c1009e84436bd8f556ca2677a30b013d

SHA1 hash:

1614aa2963b18c58ee6d986ca22e7d765931ca77

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

SH256 hash:

2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0

MD5 hash:

ca67885debac01a9b7d0444cbec10525

SHA1 hash:

8735a644fe9d3767d438e37a27e61813328c0fa8

Link:

https://www.unpac.me/results/3534a25c-bdc2-4a0b-a8a3-6e0b756db743/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ffa87a77532511163a29b84c0bd2823cd7b4455fd7301ce56052a633303f1b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

http://never.hitsturbo.com/order/tuc5.exe

Cape

https://www.capesandbox.com/analysis/465877/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample