MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52
SHA3-384 hash: 7b3553e735e767f0322062534db971e35f5fa58ac5d2992611798a557ce94b6eb0b6d1f6969853ddfd5d0c2e78e33c7a
SHA1 hash: 57aae53641793d8f40455feff5f2dae7b943e438
MD5 hash: 0b21b1f102e482467151450d221cdfed
humanhash: floor-crazy-purple-red
File name:0b21b1f102e482467151450d221cdfed
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:2'881'599 bytes
First seen:2023-11-23 18:24:25 UTC
Last seen:2023-11-23 20:17:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:O2YwvLbBL8IQbDbq6hhFiucmUHq2uK3njQJJmgBkVrAhUQCe4f4/fzdedvQRY0E:XfvXBLk42UHuK3jWXWKOe4fWdmQlE
Threatray 2 similar samples on MalwareBazaar
TLSH T11DD5338BA582E9F6E03B99700D246EBE49EBB9D6747A941C3CEEA44D1F73116100F374
TrID 76.6% (.EXE) Inno Setup installer (109740/4/30)
9.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.1% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459903/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.12995.15400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Creating a file
Moving a recently created file
Launching a process
Modifying a system file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/655f99507485e5b1ecb8caf1/reports/48f23245-f62f-4e49-a43a-f00058c3f8d6/overview
Verdict:
Malicious
Labled as:
Trojan/DownloadAssistant
Link:
https://www.hybrid-analysis.com/sample/379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/40379338-12b8-4c63-83e7-630db3ed1328
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347068
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347068 Sample: f552fGDYQS.exe Startdate: 23/11/2023 Architecture: WINDOWS Score: 100 50 ip0.zenno.services 2->50 52 Snort IDS alert for network traffic 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 8 other signatures 2->58 9 f552fGDYQS.exe 2 2->9         started        signatures3 process4 file5 34 C:\Users\user\AppData\...\f552fGDYQS.tmp, PE32 9->34 dropped 12 f552fGDYQS.tmp 18 27 9->12         started        process6 file7 36 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->36 dropped 38 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 12->38 dropped 40 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 12->40 dropped 42 13 other files (12 malicious) 12->42 dropped 60 Uses schtasks.exe or at.exe to add and modify task schedules 12->60 16 AVILine.exe 1 15 12->16         started        19 AVILine.exe 1 3 12->19         started        22 net.exe 1 12->22         started        24 schtasks.exe 1 12->24         started        signatures8 process9 dnsIp10 44 ckjbytq.net 185.141.63.253, 49735, 49737, 49739 BELCLOUDBG Bulgaria 16->44 46 37.187.142.187, 1074, 49736, 49738 OVHFR France 16->46 48 ip0.zenno.services 185.87.150.22, 443, 49784, 49803 CAPITALWITINCSAHN Ukraine 16->48 32 C:\ProgramData\SVGAHelper\SVGAHelper.exe, PE32 19->32 dropped 26 conhost.exe 22->26         started        28 net1.exe 1 22->28         started        30 conhost.exe 24->30         started        file11 process12
Score:
61%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 18:25:06 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6pguzlgk4cnupbxlehysh7ba457utlrvgm4rmjfeazgqo5dfvja._file
Verdict:
malicious
Similar samples:
55232ec88f1f24f83153768b6a50e97157c2690184e2f5070bc3a9590a5b0d36
Socks5Systemz
95c60e9c5c0e0ebe7335380bc7fbe34569f599196c930a47453dc034105e415f
Socks5Systemz
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231123-w2lnaabc57/
Behaviour
Runs net.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
e230a08c98e0593904dfc5c82b94a58e812d6d3174626cda4010e90339d5b7ff
MD5 hash:
dde9c806678228d3a450658ef2956da7
SHA1 hash:
a4f82691fefda33030d437d012c2aa2d5c3d85d5
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
SH256 hash:
6eb9d107a87c074eae47c18240deef3b9ecfd2f078cf26ab7b52d2f530edf300
MD5 hash:
64009c4b5a99cb9a7a2c4b28342cfdd1
SHA1 hash:
0f44d174b09717f58e104e738999910a091416d3
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
SH256 hash:
eb23d2eb45e2d47d3eaffe6b0c843bbd481475532b334b337bd39f009d5b5b29
MD5 hash:
05c134fd4428b46b265001a793c678e4
SHA1 hash:
9b373e381b5249b50938b621cc68d2ac574db6f3
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
SH256 hash:
d4f52b7d966c476dee40c677a9d9f224e55c592ee287660cd292e91eccd11848
MD5 hash:
9824254bb5cd741b93eec8e623580685
SHA1 hash:
0de975cd3955849f4c668eed5bb5f8b45f940d36
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
SH256 hash:
aaf3cb758ee8689106d531f2302b47c9dc58a6c8ef8fc3ebacc4bde510d3cd3a
MD5 hash:
20e8c58ec8e1a7241a93488ae44254a2
SHA1 hash:
06f18fcc7399a6c2ed85a08c3f86a6ee2d6fa6ea
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
SH256 hash:
379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52
MD5 hash:
0b21b1f102e482467151450d221cdfed
SHA1 hash:
57aae53641793d8f40455feff5f2dae7b943e438
Link:
https://www.unpac.me/results/8b6ff539-c3a7-4295-afb7-4980f3e344a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 379e6a65665704da3c37590f891fe1073bfa4d71a999c8b1252032683ba32d52

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/459903/

Comments


Avatar
zbet commented on 2023-11-23 18:24:26 UTC

url : hxxp://sl.himanfast.com/order/tuc5.exe