MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9
SHA3-384 hash:	769c64ff5e4c8c6dd050ce640bc1a6d457befa2c695de84ce533a6a6b820cc8a284b714f38380778e1e563eb0ce57e66
SHA1 hash:	2bda1dc9f92c7b943e85cbe32e51ce0cfb85e9e9
MD5 hash:	e983c404a021ca5f841ebcdd9bb2ea5d
humanhash:	solar-high-emma-quiet
File name:	e983c404a021ca5f841ebcdd9bb2ea5d.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	5'030'149 bytes
First seen:	2024-06-08 08:50:07 UTC
Last seen:	2024-06-08 09:14:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'522 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:mgE81Gn7OGJOfXAhpvmU+XnoMdSMtx9JQLDXIm4938BNi:FP1Gn7VJiXAhpvmU+X3vm54Ki
Threatray	343 similar samples on MalwareBazaar
TLSH	T1FA363303D216DC71EB5A89BB4B84485E2C3BFA032C7DD669310D648F6F5A496081AFE7
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

abuse_ch

Socks5Systemz C2:
93.123.39.193:80

Intelligence

File Origin

# of uploads :

# of downloads :

531

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9.exe

Verdict:

Malicious activity

Analysis date:

2024-06-08 08:52:30 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d7e0ad78-ad97-4558-8741-5d8bc6a37500

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Adware.PCCleaner.B.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/66641b7649a1c8306266335b/reports/8006bcb3-529a-44d7-b953-6557b412b1ce/overview

Verdict:

Suspicious

Labled as:

HEUR/AGEN.1372994

Link:

https://www.hybrid-analysis.com/sample/3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a518dbbb-a9a1-4e01-bd73-83223a4dc497

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1454003

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-06-08 08:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 24 (50.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hldet37mtbqydcneerlo44actz24p7f27qom5zhczvkmrpqpltuq._file

Verdict:

malicious

Socks5Systemz

320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1

Socks5Systemz

7aa2680b83656ff7cbfe453c3b0e9b874cbe9b8b0d19ff26317b35672f8405d6

Socks5Systemz

9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f

Socks5Systemz

a4055964f3c620c0e4c0aa5ce9ff2a28e249a472f6bb7f6c4c356f4bf1b94388

Socks5Systemz

fe66709abfc8ebc81d937807326ec8919af8da242aac4c76562a98011c239929

Socks5Systemz

+ 333 additional samples on MalwareBazaar

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240608-kr54dsbe29/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

erohvov.ua
http://erohvov.ua/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6086fc17c7eb95
bunxepn.com
http://bunxepn.com/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff819c3e9929933
http://bunxepn.com/search/?q=67e28dd83a5da32a155afd1b7c27d78406abdd88be4b12eab517aa5c96bd86eb9c864996148ab2865b77f80ebad9c40f7cb63037ed2ab423a4674383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c1e89d993dca6c9e

Unpacked files

SH256 hash:

16ca30f70faace39ec2757b58072ca89df101933a2386b16df596dfe3dc8b99e

MD5 hash:

b1dc8b49a9fb7a4c76f9b32eafe4d695

SHA1 hash:

f7f457747f91b7c0ba51d92066cf0a84587ea96c

Detections:

Socks5Systemz

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

Parent samples :

7aa2680b83656ff7cbfe453c3b0e9b874cbe9b8b0d19ff26317b35672f8405d6
3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9
02d4d03a881594456f183b16d559b8352383ae7e38d9b8276383c13ae196d184
99d02207061f8cd1bb41dfc5ce4891f5913bdf35498e043c7d8c2b9ceee2c00b
97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee
d787f9aa7215933a6c4edd8fd967fe9271621aa25f0ca91d1b122951ba2eeac9

SH256 hash:

4e5fd37db1c271ce8e25271b4ced8959b2d982839f6c1440cbc0032f2f6c6b9e

MD5 hash:

dbd8da3f7886a8fab37819e20f9f1d8e

SHA1 hash:

47f31c0e8f4994b0ebf397b10c670e2a743ae080

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

SH256 hash:

e9eecd5d95b06b2f06ec112f76bc8f851494bc74193ea8fb43179bd63a753902

MD5 hash:

cd37fc7ed5e4bd8b8c6a6d7fe133407d

SHA1 hash:

f9575417eb69e3b96d125e3e41013dede440a524

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

SH256 hash:

9e3e7d8559bebf8a266cb82c239dcebc5712146cc790bb1227b421069ac59c22

MD5 hash:

27acf36a683207f1ba6b2243344df726

SHA1 hash:

f3be036ee84e283581e463869109f3e9c0e5267a

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

SH256 hash:

3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

MD5 hash:

e983c404a021ca5f841ebcdd9bb2ea5d

SHA1 hash:

2bda1dc9f92c7b943e85cbe32e51ce0cfb85e9e9

Link:

https://www.unpac.me/results/3d57d9de-1772-4a18-8b8e-e4cbeca5be31/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe 3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2858526/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample