MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b
SHA3-384 hash: cc3fa7f2bb236fe46edf616c7566edcd7c6c14fd40a309ba4c4fa0b2538bf988f46192e1116a192055722cd19a1806d1
SHA1 hash: 615e14898ae7ee4d09907045c4ed1a4909da4515
MD5 hash: d3ce98f478bccae83775d7ce4a8a3a94
humanhash: robin-johnny-arizona-tennessee
File name:install.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'672'791 bytes
First seen:2024-09-08 12:03:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'452 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:+TkesPwMoH6p+yUtF2tHWs/upiJZPgD3p:UtsKH7yU6Is/5ZoD3p
TLSH T1AA0612C0FD41E927C6907BB645AFB3649E7C9EC4BC674306712A33C93B7AA84AD095C4
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4504/4/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon f8cc8e8ea696e4cc (1 x Socks5Systemz)
Reporter aachum
Tags:exe Socks5Systemz


Avatar
iamaachum
176.113.115.33/ssl/install.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
install.exe
Verdict:
Suspicious activity
Analysis date:
2024-09-08 12:08:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/228a372d-ae19-4a35-8c30-9ef0d459b952

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop26.51718.24756.8918.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66dd92b44af4c97a7615bd99
Tags:
Encryption Generic Stealth Trojan Drop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a service
Launching a process
Modifying a system file
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66dd92b43b4f130ebccf0c34/reports/5e4d5002-7f9a-4631-94c6-b58ad8ac48c5/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bf7c388a-3bb4-4607-a25c-9a12932a8c75
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1507482
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b/
Threat name:
Win32.Trojan.Munp
Create hunting rule
Status:
Malicious
First seen:
2024-09-08 12:04:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 38 (31.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7ndeeyod3lmslielnjwkrz2kjzhdxgfgz3co5mf6742ri64zrfq._file
Verdict:
malicious
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240908-n8lb4axdmb/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d4068884-ab38-4713-beb8-7859a8a5ad76
Unpacked files
SH256 hash:
cd0286dedf4dec81c64a9c64876853cc6234f4e6bd4ee2098a6bb1c4c7fc754b
MD5 hash:
c211a56e7e285191bdccef31f330af37
SHA1 hash:
aa3b3b06b2b44978e2a3f85da1a3108fcbb7a09b
Link:
https://www.unpac.me/results/4836045a-b88a-4a83-b8e5-47e9cdab03ff/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/4836045a-b88a-4a83-b8e5-47e9cdab03ff/
SH256 hash:
66b3d100479d2d4d37e3a55fd7d5ca68303ccac9de171501719f5f2aa3c6b7c6
MD5 hash:
489adebb4a163360e6c1fcaa2a27e2d6
SHA1 hash:
9ba1f609278a9ba6034543de5f03b3b47ac89fd8
Link:
https://www.unpac.me/results/4836045a-b88a-4a83-b8e5-47e9cdab03ff/
SH256 hash:
4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b
MD5 hash:
d3ce98f478bccae83775d7ce4a8a3a94
SHA1 hash:
615e14898ae7ee4d09907045c4ed1a4909da4515
Link:
https://www.unpac.me/results/4836045a-b88a-4a83-b8e5-47e9cdab03ff/
Malware family:
Socks5Systemz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4fda32130e1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 4fda32130e1ed6c92d045b5365473a527271dcc53676277585f7f9a8a3dccc4b

(this sample)

  
Link
https://tria.ge/240908-n2zadavbmr
  
Dropped by
PrivateLoader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3124389/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments