MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce
SHA3-384 hash: b0882e87dc24f0ca7e7b5c68a7634a5310064b89040ec3db821ee79b192b490c87c274ecb9457014eced3b2b78a776a4
SHA1 hash: 9a8b25abd5e3250a414cb61e686ec313111692f8
MD5 hash: ac478f2b3c909d31c7ec5b0e777c3d48
humanhash: low-september-chicken-venus
File name:Space_Royal_v.4.7.3.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:10'752 bytes
First seen:2022-05-07 20:19:37 UTC
Last seen:2022-05-07 20:32:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:4nWat2eAr5kuuM/TGZLy12OD6A7qOKDfRlu:4p2eAr8M/my1HeA79KDfRl
Threatray 993 similar samples on MalwareBazaar
TLSH T1D3220816E3B84D76CED946364C638AA00D38F243C4537B6E15C4892F7D1BF45CAA3AA5
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 60c480848cc4c410 (13 x Socks5Systemz)
Reporter JaffaCakes118
Tags:exe Socks5Systemz

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Space Royal v.4.7.3.exe2.malwrae
Verdict:
No threats detected
Analysis date:
2022-05-07 20:12:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5fc74b10-7fec-4891-92a1-0c503be43a91

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269271/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AFAT.6029.6459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated wacatac
Link:
https://www.filescan.io/uploads/6276d488bd5c76586e1cc0e3/reports/1f93dd47-0d9f-4e3a-9484-bae8305e1b2c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5ab32838-8142-4a8c-abcb-2b08d459b5b8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/989549
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Snort IDS alert for network traffic
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 622045 Sample: Space_Royal_v.4.7.3.exe Startdate: 07/05/2022 Architecture: WINDOWS Score: 88 31 178.229.4.0.in-addr.arpa 2->31 35 Snort IDS alert for network traffic 2->35 37 Antivirus detection for URL or domain 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 8 Space_Royal_v.4.7.3.exe 15 7 2->8         started        13 Dthznlwu.exe 2->13         started        signatures3 process4 dnsIp5 33 179.43.140.177, 49769, 49856, 49860 PLI-ASCH Panama 8->33 27 C:\Users\user\...\Space_Royal_v.4.7.3.exe.log, ASCII 8->27 dropped 29 C:\Users\user\AppData\...\Dthznlwu.exe, PE32+ 8->29 dropped 43 Encrypted powershell cmdline option found 8->43 45 Modifies the context of a thread in another process (thread injection) 8->45 47 Injects a PE file into a foreign processes 8->47 15 cmd.exe 1 8->15         started        17 powershell.exe 24 8->17         started        19 Space_Royal_v.4.7.3.exe 8->19         started        file6 signatures7 process8 process9 21 conhost.exe 15->21         started        23 timeout.exe 1 15->23         started        25 conhost.exe 17->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-05-07 20:20:05 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
3 of 42 (7.14%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0ee1085fefee69e978fd79adf288a62b15c04e5f551fd6e7abde34daf1913ca1
Socks5Systemz
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
Socks5Systemz
2f7c830708a1d20feeed99000dcad718e23183fb9e5a0ebd169d4e890ee19d65
Socks5Systemz
6b10f57d5211fa504775f4db4021b74bfee20d6fc6f908fb062044db926c0656
Socks5Systemz
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
Socks5Systemz
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
Socks5Systemz
c9aa37b14d02530c430923c6f758158f1116109efad42f3cbd2eb965aa1c3b1f
Socks5Systemz
d24cfa0bdad2e8531085b2cf684b9ea333fd5d85daa7c7a51750e943f6ae7e0b
Socks5Systemz
df4876573295b4e7beb618db31a015ea617f61b811978bb168d432c4052f7731
Socks5Systemz
+ 983 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220507-y4d3bsdea6/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce
MD5 hash:
ac478f2b3c909d31c7ec5b0e777c3d48
SHA1 hash:
9a8b25abd5e3250a414cb61e686ec313111692f8
Link:
https://www.unpac.me/results/437cef11-0685-4e36-8695-003602d80d55/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/47934dfea8c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 47934dfea8c7ec9a59ac5b99f4e440a668f8217999b7f03020bbee22720404ce

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/269271/

Comments