MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6
SHA3-384 hash:	cea984f7e71867246605d6b5196375535c154068ebf959215cd19d10a4e2e2bce9627c9c376d696387fb43ce19b44478
SHA1 hash:	2a72a1300fc4c10078657359aa27f483dd93f153
MD5 hash:	9346eaa99e5265c38c658ca7cd2754fa
humanhash:	kitten-quiet-bravo-whiskey
File name:	tuc7.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	7'343'853 bytes
First seen:	2023-12-12 16:27:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'456 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:Lxm5Z7xPjWtYOkdHWd1V3GaO4TwWHvzASW8P7Bzj:Q7RjWtfj95dLASWyzj
Threatray	5'447 similar samples on MalwareBazaar
TLSH	T18A7633E295EACE3FDE119E305915F171962D3CFBD8364CA0314A176A0A6933856BCFC2
TrID	80.0% (.EXE) Inno Setup installer (107240/4/30) 10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 3.3% (.EXE) Win32 Executable (generic) (4505/5/1) 1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23) 1.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	00f8dcdcdcbebe00 (621 x Socks5Systemz)
Reporter	Xev
Tags:	exe Socks5Systemz

NIXLovesCooper

Downloaded from http://never.hitsturbo.com/order/tuc7.exe

Intelligence

File Origin

# of uploads :

# of downloads :

247

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/466705/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching a process

Modifying a system file

Creating a file

Creating a service

Launching the process to interact with network services

Sending a custom TCP request

Enabling autorun for a service

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65788a165937bfdbca0e1567/reports/e43b55c9-37e8-4199-95f5-2477357e5486/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Score:

92%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-12-12 16:28:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 23 (43.48%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=irpdpxsc374okhcn5nlrajrnig32sanypucokiohg4yh7ixj6h3a._file

Verdict:

malicious

Socks5Systemz

3788c9fc8551b7d1b7ee90627f20681d0e5e7609f184502bcc6f4d3121fa50a8

Socks5Systemz

47eb3bb223b90e9c85a23f36a54f066ad5687d50d6fc4b59ed3488a6dc975817

Socks5Systemz

743b7092f8bfe233e34902dcfecc10d09f0f7d723d167473a5edbd4e42526f9e

Socks5Systemz

88930ba97369aeb0498930aaef5bb7f5c8051a14fe655ab63ed4c62f3ee3c2fd

Socks5Systemz

a6c575ddcca2e6a614e3a9b34c2fd2b8eb8a6d1d1130cd87892870956b7c9c27

Socks5Systemz

a6fbf79d1f0420f62a947ccb300139320578f43599a354c14c2690ae8d24177f

Socks5Systemz

a82b5e99765ce3b5b5f4b4e4a743f8485ab26b8fbe74a0c3c8221bf8218d55eb

Socks5Systemz

dd8bd16fae95bca937433f57a8b88b3a3d2be7255372c0611aec6019f63fb6f1

Socks5Systemz

eefb54710b5b0af2dcf318edcbca3708ebbd11efa78102f56429e5d419fd6ab7

Socks5Systemz

+ 5'437 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231212-tynblahhh9/

Behaviour

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

c374ce370b8991347db808eed8be0ca9b693a160c624875706f4ff1fa68dc3ba

MD5 hash:

4fcc1a443bbd996a11db50e494496967

SHA1 hash:

d39880a707f5ee4d3c5047af1856ee192160c800

Link:

https://www.unpac.me/results/62f9c0d5-5763-4d19-9976-992615259c5e/

SH256 hash:

1cad7406ad8f4b703a20d5aa9a3b0fa5f0501a393ee4fef9c9ece8b72a7f9f67

MD5 hash:

4964c3be555df259840b2168380d61f9

SHA1 hash:

8091420678414d484adf737f2934e2bd62fd12b5

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/62f9c0d5-5763-4d19-9976-992615259c5e/

Parent samples :

65cfa1dcb09b61a433f3529c5596d45afd53e3cba992c03922e7363cb15d5512
f05a2a30d48576021177c1a819f3f019fc9be5bce902bdf62aab3872ee1520ac
3788c9fc8551b7d1b7ee90627f20681d0e5e7609f184502bcc6f4d3121fa50a8
3c9cf9df6dfdf722b34abc76c81c2206a12f442ab7f3bc30803221e78b63ec04
3111e95f59c8f26cc0cafee90ebfebd9e759ed39c2adde7acf2ce69938903115
a6c575ddcca2e6a614e3a9b34c2fd2b8eb8a6d1d1130cd87892870956b7c9c27
80b985d851ca45176ce40d4df6df54a3ed87b179e5295ce4253c4761c97a2d73
a82b5e99765ce3b5b5f4b4e4a743f8485ab26b8fbe74a0c3c8221bf8218d55eb
d6a33c833212833b56639b38ee74b7cb2976be3a7cc75f60333d38f09da4412a
2dad450cc342d475f857a9c40c909a0da07a92430e9f04a05695e5f846793658
a4166d653b9de4f73a1ea5bcdf77a7748550e7cb7ee93dbaebe5b3841d9a06e6
743b7092f8bfe233e34902dcfecc10d09f0f7d723d167473a5edbd4e42526f9e
fc3d5c50cb6c30195c11d975171f479b32ac9d96cd971fe173740cbfc7516868
d4b9880083a9316daaf4b0bcb5797198a8d4822508c357e0b1c98a3547cd5ca1
a6fbf79d1f0420f62a947ccb300139320578f43599a354c14c2690ae8d24177f
831efb9c279a6579a167cf1c32d7f8fc2f01142f784b91f66e9fbe20b21168ae
d5107ad3d5b0f203a5b453a84d626c17e43ad1485b6aa59fc3264566ea004aad
88a1a65b5a4153f6e4a21855634c16aea8aa4f9a749c70dc8d6b160b4e795dc1
ae7990a1cc34664311411ddd3b96cd71a0d2cd1ac7551303da8704ad1c011906
0427b1d5665acfda02b6a6100ba53b3717bd95704b1d53efb9af5addded9df97
dd8bd16fae95bca937433f57a8b88b3a3d2be7255372c0611aec6019f63fb6f1
9c138b6d0a7b54d3bd5df90a625415aa5f7b343e21dcef65727a6fbe3afe12f9
d2578061b49fcf1d5d2f721b67f86e5dfe1b35f1596ee9b21a9b8ef4460e21f1
d2895c24dd8a1e319e5e41c823c370df6df75ee27160f1565f337e5b75461a7d
5054c906e51673afa228b935cedcddb5f3ee1a2c144cd87cae3b3acbf2975564
47eb3bb223b90e9c85a23f36a54f066ad5687d50d6fc4b59ed3488a6dc975817
d570113c124db617e7c5de071a86b70e5ac6780de4e09e9690281fa20ef437a8
c96094eed440a646839643293252ceb47fad128b9aaeae8c97176b2e6f7fe179
c46cef4c244323586d221beacf8d0825d802791d08e1922c09f18725f15eb2a4
b83dc9ba61bad78f856cbc9d1064cd7a2b75a27fc638415d922b2368763e6c5e
579573832184234923390b3491c1da17e6154eacac71b372e5cf52287c84ec48
88d70271fab48916eac1d465b15b27238e29ed01107affc0fa446b7350b8e735
31f2e55a897f12dff2f0f04589dcc0fa726e9f7819aaab5a9f1e7a40aa7ec1ca
928777984b9c769c1b4af6b634ec670427663f517cbb62d4703a31158045319f
a38d15406978c2903d7d3b8c7ebde4219c81337a9b3fb692e434395ec96b5a85
21535da5ff1ecfd77b80659c451dccc97a68b18d73e7847fd311d28d246a5709
2e1059f0108285b70b5d99762efaf0a6fb4288026bbd19a4e2c0b661a4d6c2e1
88930ba97369aeb0498930aaef5bb7f5c8051a14fe655ab63ed4c62f3ee3c2fd
d74734f208d35a48475dc707f1200f16bf1736cab9c05db7aefc1a101f80f8b7
5c2b57d4418ab517bef2fa4b0977ae7b291055b1aae3a1b923f1a75293fcc281
9ec4803e58d18692e0952a013a7be45358342effc3ecf1bd66965038f7b5201b
4ff7c9b639373046b704696b13473cb35333ac4a2af693de9a376a35b6eb5040
64412eae51a6f6c019f8d362ca9a02185da3642fcb93e8fbf207b1fd9c11b4e7
a70742bb370b5a0c1a8b28cdb0fc0dd248c19fa737f2ffa5f0cdf1dbc3405f24
c238b74e3de14627e565bc7a9d96386f41834d7d91bc6a533079cb6de9d981b2
2862c316bab943bfbd6cd3461ff2ee3988686278927f8f130e743ed12016f86b
2d599a025cf8ed427203f3239cccbd315f085f851beb0d28703ae01e4e796929
6e55c8da6702a21842e1471720701263aa1a70750487233500b928b68030aa49
72a4ff7eb5462ab95f83af56f07ed6d2559211f8239fd4a2ef44c3452364b3fa
1cd7458a945b8994e101e1cd5a8830b1db659d19649ae77db565b79d2327c971
506ebcd1d6f755b78bbabc91ccd4a58c391dab85a48ab373c1215498cede2263
93b7245f326faeda065c6cbf19008742c4051643efcfbca9d9157a49bf07f8e3
35342642a62c978a5c6bb10d23f35f4376903c630ea9c9297484aedca33d001d
c93687acf3d96ce710947448d70d915368599086a3499cce23d18b690df6c23a
7d83ff27457326b3a6d4b77b8bc19f192e5d47497183289441fe8a432a347b82
bb7d162540ce68cdbc8c54cccc45e2173b0a826c75daa929386f2018c81b1d70
44daec962f7d5c999bee9d789aa7c0fac772cad7699d0549d0302438c05c3a32
445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6
f56bddc845ab91ec6f5c784f12fed693047df2232ab232806a2a58e1bffd8661
3d86c13db776d647b3a226f9971a16aa67776bd9817f3ae06f8c9facbd4a996d
4b04470da12b277af413f9adee3ecad6f92f9576ffe405f7ea622905582fdbf4
57635e452d5ac742605bcf05a8071975a42c23afa348e050c795a6146c3c3a03
bca4bd926ce9839e9d6aa4a57cc235387716b6057ed8d8b9129ee2257bbae4be
77aa4cbc25eddfa6c5bc320049e8fbd5b2e9af17466b2e05d02b235f7c0a8735
1a13efa0353fa6212c28d49e8c016b1f62cecf37516ecab65bb7f701730d4ed2
670c53e661d7b4a59476c616f9d391ce943c6ac63d430ec76d99b6e54fa2d524
0618c5d54767e03200a27c016873549d67b8148b487a099d2f1d53af145a7c6c
e56399d74d86afb0bc3d604aa778b611f7dbad8e19edb385026b2adf8d4ecd67
d79e40e864c64dbe9d69737e8a8fb553e97dc72748eb03954b0e2e7f0edcc4ee
cf6253fac81d5df9ddb6e7c26442c7429c198ad6611d1f8639ba370d889b496e
9b932365aaaa9b981fa5946f5fca035d5d346ad979476e388cf8d4dd0f59c37e
66a995bba839d7808d59670b0a141452eaa24a82703f0a1d692a92f32f1f0e6c
d2977daab60c26ed98db82a880d68140ea313bd2a6bea49d1e7a7b7d6594d2ec
04beb4c98d8d575979f15c9648f216821d91f325caa4bfa106e3c64d9fdcb950
187087d88df8ca1b0149777df968ae21394cb97a4544245a7895108f23202b02
a4817740f440824145b8806cbeebe3d9f8c6926f6888c6cc71ba26ab203c7ee4
1a6512e9ef1e78a2bbd6b32da3d4acc29e7228e73422b5874773cf3fe0cf8cfe
6306d0c7f5d524e696cadc7030c4f381582ae9bc0fe8f14f674c1ab158db7b6f
5430a9c4400031da1f71f6d76ff5d718c6bbe03a109c0e433e86572735104b4f
5a067bb523b05f49a6382901643d9c19a73141b4d87e2315178b7a666714bb3e
fdc4874b2ba18674d1ea35f3f5cc862bced94afec89bbdcd41c929c5f5052078
8e0290f9b6f8e1590c551b1287f0036425617a657aea0b77b44374e53069ffeb
55120d9a4375ec69b2c5eeaba2120a999043cb48e23a1b7243da5bf95383cfc8
de98c10054d53a8ef78a51842187f2eb9031ceba988536bc31109759e8f20d6d
86e730b785adba94b3182bb13e12b691a0cedd2945c5852af25ebd70f07698c9
63cddfb55743411598d883cca625169d2e209e00735d04e3bcb806d7965b22a5
1ae42cc4b283b7735deca6bd32af17d59293bece5ae2dca2794a1544d99ee283
bb9090658b0572a54e8dd862858a00f0663b3ed3acfa142b6daea3faa05bb9e3
241bf0de32f11b86ada14a2744acfd63d2f75d16de62b1b978d3619ca2aa5941
745dbea5b70df628ee2ab49d01639490f2fe6994bb8db67a072c3ce96c81256a
38a85b0e912675e3c5c189a68a00459f0be4253bb989ab18c8dc904129062ec9
ac830727efb85dd873e55be8e6de998105743a679cb7477203bc75fef85f6f64
9b15a5d94fd6f1d6eeae85765f3a5a5f0d4bc5b099582931386b068c8322bcde
30889f13cb68d07d870acab2076875e2255a1775d13c055c18681081f8c4e930
86e790b767b8c3291da664e0dd28435b0ec05c2504f01886b8c3661aec304fd8
b80e78f4e7f6c5c6ab3c4b2260e036a029835d95fbd57769fb4340ba6948b35b
bd95965ac66c3f556ed3549a81118d1a27e6af3c8089c7840422af5504780220
7bc009954073ce4f2d021141fea0414724ffa61dbef684b05575ea77afe7be48
a1de0ac4cffd0208e4a061050b64a0a6bd4d79f1bf4d83c16243e846bebeada5
37ba20f9c1ba6417c341aa58d14953e5c30ec10337529b8d849dcec08f0be0e1
048a421895ecb13a777cb874861e92cf56cecfd8ec0b1210cb5e4121c2a0760a
a1c701f27cea1e411850c5b682090dba13662b161d484a34d2b7ac5f5d113b81
61bad72feef7c9d342792ab61a0a959bd42020c88f11af44b6702c89aa7bc26d
9a33324ea2521ac9e8343f59dce5f0363fd0269db2c1ff43a7a799226a3ebf4d
89fb909a25827c233ceea30f65aa4e2e4d3896b2122ed069a457c8bdfc05ee75
4d5331636aeda3ca98e0048593e6bfd107cb971c165996581ecb59173320266f
63098421d7546c5081b02d460d5d1935ec9dc21c66ae6d3bf314da086b0c6aaf
5666d9b25f652b17009b8797c19229f90390a7ce38f8998fb1c06b24c895255c
f2d8fe909f892a532a59f22baeecd0747f3a8ee9b62c836f99c9448b52288424
e391d4d3a1236930927c32c58efb4ba07bc6a1a64ee4d15ccd07cbc413078a27
236eac2ec093429750050032bf3488177730b8512318fcc6b72e70387c6057d7
ed99c922b30639e237b153268cb7bcf9d17f9dceed0ec46065c31d9e3101c94a
b5a5033da9b26038f6ccfcef451753d841f95e0f706e2c17d7409ff91ecbb886
4f5cd452787428b2af5aa30a0c8fa317c54056b25ff9999ed176d4c93b2d3619
62cb4ead7782151f70977cb58b28f99a83800bb26b5cebf06b1ca94c02e5289f
31b69d49da75fec775b1f6684fbb8246ce13b6c11b3d352c5a909046062201ec
7f77ef97d02d9ebc415c32223f9f621b34183afbe565631d1908937d323a01da
dcbf549d7c45b16a5ff37c7543f41b22d1b5539c128a60b09704e79e1d14b7b9
95b414de46c199c707817d86e581964a9c80be12f97c1187d00ed38ae3ed83d5
9aeba99735d144ca63bd2d01734db0ee7077cf1865e00bf78585c00f023a4111

SH256 hash:

444c9128114c59e174dec3a243760f73843021b91cfab7959d71ee03b569c63c

MD5 hash:

c3f876aa5806a3e6815dc841a792f5bd

SHA1 hash:

83e3fdff1e387991c69d69d4cc6f53182d52131b

Link:

https://www.unpac.me/results/62f9c0d5-5763-4d19-9976-992615259c5e/

SH256 hash:

6cb8451cf89ad30c3454dffa5d9e95e7b7ccf56fa9298cd639e402552efc3673

MD5 hash:

6ccd81668a21ccbee877e8566ba12709

SHA1 hash:

55e6b7985f63bc63f7705f53c6d0d9d5abe492d8

Link:

https://www.unpac.me/results/62f9c0d5-5763-4d19-9976-992615259c5e/

SH256 hash:

445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6

MD5 hash:

9346eaa99e5265c38c658ca7cd2754fa

SHA1 hash:

2a72a1300fc4c10078657359aa27f483dd93f153

Link:

https://www.unpac.me/results/62f9c0d5-5763-4d19-9976-992615259c5e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/445e37de42dff8e51c4deb5710262d41b7a901b87d04e521c737307fa2e9f1f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

http://never.hitsturbo.com/order/tuc7.exe

Cape

https://www.capesandbox.com/analysis/466705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample