MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b
SHA3-384 hash: dd4f2c88cf035cecc7be7e6da68aac8161866a46666b1e56def6131cc70d4c826bd7ff66af2f8e06090c67d1f60cf453
SHA1 hash: a742c4aa291bcc13d805a5d9005fdc807464dcc8
MD5 hash: 2eeb0d24969f2540051e59058a4bc289
humanhash: london-mockingbird-snake-harry
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'795'098 bytes
First seen:2024-07-26 08:58:35 UTC
Last seen:2024-07-26 09:37:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'462 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:CHP2uIl2AScwC4sJFrvdZLrWqXR21AlDSVX1hGeTVU2y:kP2jl3ScwC4sHrvbrZRpUVXigY
Threatray 67 similar samples on MalwareBazaar
TLSH T1EA063335129298FEF4275FB19E5C8092A033AF41FA3AD42934BF5E0E42B7212E4D8357
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter Bitsight
Tags:exe Socks5Systemz


Avatar
Bitsight
url: https://lop.foxesjoy.com/ssl/crt.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
372
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
virus.7z
Verdict:
Malicious activity
Analysis date:
2024-07-26 08:52:50 UTC
Tags:
evasion privateloader stealer opendir loader risepro themida metastealer redline
Link:
https://app.any.run/tasks/5fcfcaad-02d0-4b63-b3d4-b3184ba07e15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.19469.13150.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a3656b81e42e2b16c7b36a
Tags:
Encryption Generic Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66a36559bd793c18bfb6abe1/reports/7ddf1851-c11c-4cf8-ac1f-ef76957c0524/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68f42a8c-32aa-4684-b0b7-d6bc5eca5b15
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482905
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482905 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Antivirus detection for dropped file 2->52 54 7 other signatures 2->54 7 file.exe 2 2->7         started        10 svchost.exe 2->10         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 7->22 dropped 12 file.tmp 12 25 7->12         started        process5 file6 24 C:\Users\user\AppData\Local\...\yofaboom.exe, PE32 12->24 dropped 26 C:\Users\user\AppData\...\unins000.exe (copy), PE32 12->26 dropped 28 C:\Users\user\AppData\...\ssleay32.dll (copy), PE32 12->28 dropped 30 10 other files (9 malicious) 12->30 dropped 15 yofaboom.exe 1 2 12->15         started        19 yofaboom.exe 1 17 12->19         started        process7 dnsIp8 32 C:\...\b-hope device viewer 7.26.66.exe, PE32 15->32 dropped 40 Multi AV Scanner detection for dropped file 15->40 42 Detected unpacking (changes PE section rights) 15->42 44 Detected unpacking (overwrites its own PE header) 15->44 46 Contains functionality to infect the boot sector 15->46 34 hkpxsjc.net 45.155.250.89, 49715, 49717, 49719 MEER-ASmeerfarbigGmbHCoKGDE Germany 19->34 36 ejdpblq.ua 94.156.8.80, 49711, 49713, 49714 NET1-ASBG Bulgaria 19->36 38 194.59.31.219, 2023, 49716, 49718 COMBAHTONcombahtonGmbHDE Germany 19->38 file9 signatures10
Score:
53%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b/
Threat name:
Win32.Trojan.Munp
Create hunting rule
Status:
Malicious
First seen:
2024-07-26 08:59:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gnadbbig6infjl6ijtmqqvrubbfgzpj6y7xbyw2c3liiw2sy6bnq._file
Verdict:
malicious
Similar samples:
0007f04b30116818f7a4f7b2e1afa657f1b70a6353d43e9261627d6725448847
Socks5Systemz
5521905702d9ef70717ea0152021e8055f49deef14f3b855468a6449007e552f
Socks5Systemz
9c0151a17e929d6de857367cb47fcd146713b5a73a54a7469a8d3ca5cc7bf3d2
Socks5Systemz
ed707049234c4794563e0232662dfa73978a532cdaf08beb3b6fc0db0e1b2b08
Socks5Systemz
+ 57 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240726-kxqkwsxhqq/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/6788032a-d51a-44d1-bda9-47dccc343906
Unpacked files
SH256 hash:
0ebd31b0e5c3fd2e7f547676ead962a4d1ff6c8d4ae3f336133000cfe041b231
MD5 hash:
ed228584ac00501e7e86fe6c511cf04a
SHA1 hash:
f9d285739441ab911cd5fcaed868849d7d0a3fde
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
Parent samples :
3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b
4a54ae992cdbec6cfe309567fb1bf1d6d2f73b5b73ff259f184f6e9230a352bf
SH256 hash:
9393bf722871a9eaab908aaf5db830cfecc71a0e4b721db9ed9268b21c4e918a
MD5 hash:
4ee0c8dcb803d1294eeb03c857a05de9
SHA1 hash:
171e358c872245f12fe82c79b9bca5033b37ab54
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
SH256 hash:
60fe58b41933219074c3f935c221ef3ffd2e76e00ef699a6d1703dfb49b7c587
MD5 hash:
e80d0a367c151031867072cc5a690a76
SHA1 hash:
9cc7492a5046b143c95a498804e6a915cca78399
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
SH256 hash:
407aca944c8a33d7a7c86bacbf6fadbbacb56b7d11177338790d269953f2dbce
MD5 hash:
372d23b18adbd5d0d29e47d57b54db55
SHA1 hash:
1439b4808967bce86965b9ad0c9994e1d753c875
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
SH256 hash:
3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b
MD5 hash:
2eeb0d24969f2540051e59058a4bc289
SHA1 hash:
a742c4aa291bcc13d805a5d9005fdc807464dcc8
Link:
https://www.unpac.me/results/c6b80369-6d10-4fd7-83a4-facf09c6d0f3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 3340308506f21a54afc84cd9085634084a6cbd3ec7ee1c5b42dad08b6a58f05b

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2898942/
  
URLhaus
https://urlhaus.abuse.ch/url/2858526/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments