MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd
SHA3-384 hash: d5afd2bf2ce5ddf009cdc6e042901804e8eae4619168a46a41ed1e49bd056354c66cb361b361370138f9b3baf2c1206c
SHA1 hash: 1a2257b3c73fbe3d77191d00ae231ddb726c2ddc
MD5 hash: 3600282fc974c820115a7eb2d857cdd4
humanhash: enemy-mobile-golf-uranus
File name:3600282fc974c820115a7eb2d857cdd4.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:2'602'718 bytes
First seen:2024-02-27 13:35:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'525 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:C9TyCC2GW7ItkXi5wwW171HugB/wp4Yz0Cx:MHC2jwP5wwW1ZHXBm4/M
Threatray 73 similar samples on MalwareBazaar
TLSH T1FFC533B3536381B6F3A5E8752E7594915563AF20347BE92073EC6EBC6F32242C80E6D4
TrID 69.7% (.EXE) Inno Setup installer (107240/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13097/50/3)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
195.16.74.230:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478006/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Crypt.58.29730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65dde549781f57164644cbe8/reports/f9a074a5-5758-4923-996e-c4ce6e1ec413/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc540284-b072-40c3-b737-b6aca72b74ef
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1399513
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1399513 Sample: 5mRmW8zUug.exe Startdate: 27/02/2024 Architecture: WINDOWS Score: 84 43 time.windows.com 2->43 49 Snort IDS alert for network traffic 2->49 51 Detected unpacking (changes PE section rights) 2->51 53 Detected unpacking (overwrites its own PE header) 2->53 55 3 other signatures 2->55 8 5mRmW8zUug.exe 2 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 2->14         started        16 5 other processes 2->16 signatures3 process4 file5 39 C:\Users\user\AppData\...\5mRmW8zUug.tmp, PE32 8->39 dropped 18 5mRmW8zUug.tmp 21 23 8->18         started        57 Changes security center settings (notifications, updates, antivirus, firewall) 11->57 21 MpCmdRun.exe 2 11->21         started        signatures6 process7 file8 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->31 dropped 33 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->35 dropped 37 15 other files (14 malicious) 18->37 dropped 23 cddvdidentifier.exe 1 17 18->23         started        26 cddvdidentifier.exe 1 2 18->26         started        29 conhost.exe 21->29         started        process9 dnsIp10 45 bbxbtut.com 195.16.74.230, 49710, 49711, 49713 GTT-BACKBONEGTTDE Russian Federation 23->45 47 45.155.249.96, 2023, 49775, 49778 MEER-ASmeerfarbigGmbHCoKGDE Germany 23->47 41 C:\ProgramData\...\WBICreatorService 6.4.exe, PE32 26->41 dropped file11
Score:
12%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 14:05:02 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=itcfji46vxtj2m7jtvrtmt4uizaw2g3tzemt77wcpwqegg7aqlgq._file
Verdict:
malicious
Similar samples:
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Socks5Systemz
1aaed7146357bbe59c272567b264c5caae9df10c4d37b3f48876fb06cc541910
Socks5Systemz
30e4e68df4756ec8c246ad684099719f812744a1542bc2bca670c58982da936e
Socks5Systemz
44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd
Socks5Systemz
a97cdc8d5c4bc1a265ca4c51ffb9feb9ef084718015cd720c37cb8c7fb45e424
Socks5Systemz
d48601f7d4521306afa881ad375c23502913742c4e4f924936efcd1abd18fa18
Socks5Systemz
fbbddf6db4673f268c60b1ce2e67cb897c393740f70a637017f20c91be0d0e66
Socks5Systemz
ff0b27a5f69de1453574ebe4416e3446d91b7b372727eb3239970b53cf50f719
Socks5Systemz
+ 63 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240227-qv8ataaa93/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://ccfnysd.net/search/?q=67e28dd86554fa2a495aa4197c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a071ea771795af8e05c647db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923b6e8efb10c0ec94
http://aqnmixi.ru/search/?q=67e28dd83e08a72b4108ad4e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978f671ea771795af8e05c647db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef611c4ee95993e
Unpacked files
SH256 hash:
5a7bb16d88a5010d41b13d8160592e74de191f9b01e42ef8d00d51ce9e841ee5
MD5 hash:
7ccee78e68c795b5455c4072e6d7fb71
SHA1 hash:
46f353bcb5497af748633b443a9e1f583b394a82
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
3e64a5b4ea653c46a32cb9fbadaa316e5fbf1f4a1181568fb28f9d5f453d5560
MD5 hash:
8cdc1ce9a5af4d8ee082dd2e69069f6d
SHA1 hash:
995a806f0b1f5399aa3ce6969d9ebbb8f1cfa010
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
e4fc574a01b272c2d0aed0ec813f6d75212e2a15a5f5c417129dd65d69768f40
MD5 hash:
c8871efd8af2cf4d9d42d1ff8fadbf89
SHA1 hash:
d0eacd5322c036554d509c7566f0bcc7607209bd
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
a857d1cd506d1ab99303ed8d82c84a91133132b5fafe1b09447155e599c6f260
MD5 hash:
c823f71b192fe6e60fdb8833722003ea
SHA1 hash:
eeb6bf80f25aacabad9dfd2774aa691281afe635
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
7836ac452b57ecea3a224d77e6f0521873d1f70dcb627d0e188b5cf433c71eea
MD5 hash:
0ca596de825196b4253c1c9fb3d8552a
SHA1 hash:
e49b695f074aa1d164350b0a39adb3df84989db8
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
3fa36458ba467f68c929a61736a2766f8a32cbc98cfc018508ad460bc75fcfaa
MD5 hash:
94c6f120f71a9429e28a3e31a7b734ad
SHA1 hash:
3ce942a7df4f854eeae452aa0bb03cda562fd158
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
SH256 hash:
44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd
MD5 hash:
3600282fc974c820115a7eb2d857cdd4
SHA1 hash:
1a2257b3c73fbe3d77191d00ae231ddb726c2ddc
Link:
https://www.unpac.me/results/8f66052e-2ef6-478b-a991-bc3a002aa315/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 44c454a39eade69d33e99d63364f9446416d1b73c9193ffec27da0431be082cd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2759180/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/478006/

Comments