MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650
SHA3-384 hash:	8c37d557fadf3d92c8cf77477b5bcb0c034e8808660dcc4b08ffaf1c0f346eaeb4ffb4260973987664e3691a32160f0a
SHA1 hash:	aa8b8a52c70ffede17b48e31cd864f70cf3acbfb
MD5 hash:	ffb1d73a833079d84d4bb02384b45a54
humanhash:	bakerloo-mexico-colorado-sweet
File name:	SecuriteInfo.com.Trojan.Siggen22.21729.25654.12632
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	3'102'974 bytes
First seen:	2023-12-01 11:25:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'508 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	49152:K2V9j2tB8nFGjZqzfN9VporsIKpeN+sivVAvtgUeYqpMqK9b7Bz/sI:LV9KBi9grsIKcNBivVA1g4yMx7Vd
Threatray	3'522 similar samples on MalwareBazaar
TLSH	T18DE5339212B3C436F891457248E8A44496D3FA214AB47D96250EC6CABB335D6F0EF37B
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe Socks5Systemz

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/461696/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Creating a file

Moving a recently created file

Launching a process

Modifying a system file

Creating a service

Launching the process to interact with network services

Enabling autorun for a service

Gathering data

Verdict:

Malicious

Labled as:

Trojan/DownloadAssistant

Link:

https://www.hybrid-analysis.com/sample/437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/97412336-7445-4d69-a763-03a1bf3d789b

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1351349

Behaviour

Behavior Graph:

n/a

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-01 11:26:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=in6swrxtrnmwg7kyyfsxalbkp5qtr6i2hlyvybz4gv7nfvqs4zia._file

Verdict:

malicious

Socks5Systemz

699b2b54ef5989f4b50773883c3b2de9c8f45038ed927e75adb2e756c969ffe6

Socks5Systemz

6b4c63887d935d393d151f374fc08880dc3fb6ac9d9fb6ce4a7bbf3dad367316

Socks5Systemz

9a8d4e81a4ec2637adc5a74746a9f1574d47850ee833edd5faefcf84edab239a

Socks5Systemz

b2b910725e39af508364c063bad61249e2f65c2937f04ffad6ed4e99795acb71

Socks5Systemz

da0acf2a88f1812cd5503d958a41370da1101a2f3f1f65adbfba5c5e90f145b1

Socks5Systemz

+ 3'512 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231201-njvjgahd73/

Behaviour

Runs net.exe

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

d380580f5ee79d082f97c198ffc5185abefcc539a1e49f94ae208589605aaba1

MD5 hash:

dafe17c375dda7c95b571f98f65c645f

SHA1 hash:

8d11479eb7852c315fa38ffffe62f46bc914ea26

Link:

https://www.unpac.me/results/5b548df6-1b56-4981-9039-d9d051d6f5b7/

SH256 hash:

28e8f770b49b778af20a2485912ffe900035a9a5b94cabee880aa9397462956d

MD5 hash:

d80ef05c28fb1cae8acda59a8c33d478

SHA1 hash:

8a83ef506e664f85cb3ae69db57d2ad4c24d889b

Link:

https://www.unpac.me/results/5b548df6-1b56-4981-9039-d9d051d6f5b7/

SH256 hash:

ce588376ea4fa4ce5476769134778d4c0316b27e81f4e8218de0e5d853b68438

MD5 hash:

a9b0b7d2fa0175d20261263d995ed9be

SHA1 hash:

772ecf544750ab81fa9e7a49e0c4ffcb6c50965c

Link:

https://www.unpac.me/results/5b548df6-1b56-4981-9039-d9d051d6f5b7/

SH256 hash:

4c0503eb89589eefd241136c77905bbaaf805e65acd5e9a000a066bbc743652b

MD5 hash:

54d1b1ff8eda99912122490a8e895920

SHA1 hash:

ee1d437be4c904b0c4fa0bbdba85d2a0b1596f10

Link:

https://www.unpac.me/results/5b548df6-1b56-4981-9039-d9d051d6f5b7/

SH256 hash:

437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650

MD5 hash:

ffb1d73a833079d84d4bb02384b45a54

SHA1 hash:

aa8b8a52c70ffede17b48e31cd864f70cf3acbfb

Link:

https://www.unpac.me/results/5b548df6-1b56-4981-9039-d9d051d6f5b7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/437d2b46f38b59637d58c165702c2a7f6138f91a3af15c073c357ed2d612e650

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/461696/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample