MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 44e639bba7c908625909ccc32eaaaa343591873b037a877fe21db85652b24564. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Socks5Systemz
Vendor detections: 13
| SHA256 hash: | 44e639bba7c908625909ccc32eaaaa343591873b037a877fe21db85652b24564 |
|---|---|
| SHA3-384 hash: | 2d69a247d94d0a528775b147bd2b890b70222d9f5cf788e1af1d6aaecf01b5c4a25ab459b26da13ee1736f45f4e6dcd9 |
| SHA1 hash: | d52042d739b1bd9eee15730218d2ccff91bd0440 |
| MD5 hash: | 35a7e01c53b7c74778ce4569f6c0a91b |
| humanhash: | ceiling-finch-network-spaghetti |
| File name: | tuc6.exe |
| Download: | download sample |
| Signature | Socks5Systemz |
| File size: | 4'708'207 bytes |
| First seen: | 2024-01-07 04:28:53 UTC |
| Last seen: | 2024-01-07 04:29:44 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer) |
| ssdeep | 98304:QkjAMcYnFRJwtoSLPpMD/kK4+Z5fKPBKVWAcsBB+G6FCfK/dQGUAQKN84dm8:dcKL2Kv4+by+9D+ZFCfY2Gw4dD |
| Threatray | 10 similar samples on MalwareBazaar |
| TLSH | T10B2633821242663AC090CEF17637F16E953369116BF93EA3AE2C9DCC6EB35D101953E7 |
| TrID | 76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| dhash icon | b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer) |
| Reporter |  adm1n_usa32 |
| Tags: | exe Socks5Systemz |
Intelligence
File Origin
# of uploads :
2
# of downloads :
323
Origin country :
ROVendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Argotronic GmbH
Verdict:
Suspicious
Result
Threat name:
Petite Virus, Socks5Systemz
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Score:
17%
Verdict:
Benign
File Type:
PE
Threat name:
Win32.Trojan.Privateloader
Status:
Malicious
First seen:
2024-01-07 04:29:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
11 of 23 (47.83%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
Result
Malware family:
socks5systemz
Score:
10/10
Tags:
family:socks5systemz botnet discovery
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
5781e0e63e0b5628a8b1c0bc02a62ae908ccbfeea6cc3b26e049ae378a5ff806
MD5 hash:
6367bd3601b501ffe845ddf23be716b8
SHA1 hash:
ba1e529b8184582fac61e82fd0c77d47905a8eea
Detections:
INDICATOR_EXE_Packed_VMProtect
SH256 hash:
d366d145d44d511df407a424dac525feb53291ed45f07f42e9e0dbf00e08aec4
MD5 hash:
69a1b12540f0c118007780883a68ccd1
SHA1 hash:
14731b2f290c1095656b82734148ff437793cfd6
SH256 hash:
2f0744d65a1231229c5c380cb87342d460f92477df0c073f962ca7b8ca46f7d9
MD5 hash:
7bf3060148e48ed93f57fe980aada2c1
SHA1 hash:
e7b505b374a2bc1f5c371f1727c29d27c31ce121
SH256 hash:
202cf8df66bab7e889bcfbd73d8aad4464d1a7d74abf4af6bd582a30aa7242c0
MD5 hash:
844783e02e063789bafef9555c14d769
SHA1 hash:
4ab58f68b2372f0079d44f7c4692362bb4041f6e
SH256 hash:
688bad55877a75969ec9f744878d974716555ad1b8ca0923c4150df7c1938db5
MD5 hash:
bdcc94248eb71440f000da022edc447b
SHA1 hash:
0c3b411644b56879ba2f79dd8fec5b04718357ea
SH256 hash:
44e639bba7c908625909ccc32eaaaa343591873b037a877fe21db85652b24564
MD5 hash:
35a7e01c53b7c74778ce4569f6c0a91b
SHA1 hash:
d52042d739b1bd9eee15730218d2ccff91bd0440
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | INDICATOR_EXE_Packed_VMProtect |
|---|---|
| Author: | ditekSHen |
| Description: | Detects executables packed with VMProtect. |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Web download
Delivery method
Distributed via web download
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.