MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
SHA3-384 hash: 01eeda7797ea91867bc753fc4c316818d342c4042e8e9040edd8a9532b3e884a3276e9bd7aa2d8ea5f68e2a5dc0ac4d0
SHA1 hash: 61541489bb3280647476918e36403bd81078cd17
MD5 hash: 91811bf66185d1842b846a6f1f8fcde4
humanhash: grey-december-vermont-montana
File name:5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'832'882 bytes
First seen:2025-10-06 20:25:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:IEhUIiFF/KmbaCPDaW/J0BvhRzE+aU63D99c+etDnpn:DhUIyA+DL/ezEzUmTcfnpn
Threatray 37 similar samples on MalwareBazaar
TLSH T18B06337292DC9539F1687C749369B03F026A750B3AF4894C398D854F8B33B39590EBAD
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter aachum
Tags:dropped-by-gcleaner exe Socks5Systemz


Avatar
iamaachum
Socks5Systemz C2: 178.16.53.192

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f42cfb2528a3539ed84cd28af6622181e1a9455b3cc32c6d08098deceaff3663.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-04 14:57:07 UTC
Tags:
gcleaner loader auto generic anti-evasion
Link:
https://app.any.run/tasks/aef85530-0e34-40c7-9e25-2bb6a4ca8441

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Socks5Systemz
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30875/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e426377f305fa2545d04e8
Tags:
injection dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context borland_delphi fingerprint installer obfuscated overlay packed packer_detected
Link:
https://www.filescan.io/uploads/68e4263df377ab231052f7d0/reports/326a5c06-cfab-4f47-9a41-75554277f866/overview
Verdict:
Malicious
Labled as:
Adware.Popwina.fbjv/PSY
Link:
https://www.hybrid-analysis.com/sample/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-04T20:12:00Z UTC
Last seen:
2025-10-06T19:42:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/033abd07-b4e4-4f87-9f89-eacc6412b4d8
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790203
Signature
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1790203 Sample: NnyC1rkpK3.exe Startdate: 06/10/2025 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 6 other signatures 2->56 7 NnyC1rkpK3.exe 2 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 1 1 2->13         started        16 5 other processes 2->16 process3 dnsIp4 38 C:\Users\user\AppData\...38nyC1rkpK3.tmp, PE32 7->38 dropped 18 NnyC1rkpK3.tmp 18 26 7->18         started        60 Changes security center settings (notifications, updates, antivirus, firewall) 10->60 22 MpCmdRun.exe 2 10->22         started        48 127.0.0.1 unknown unknown 13->48 file5 signatures6 process7 file8 30 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->30 dropped 32 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->32 dropped 34 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->34 dropped 36 22 other malicious files 18->36 dropped 58 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->58 24 bookbitslib4392.exe 1 19 18->24         started        28 conhost.exe 22->28         started        signatures9 process10 dnsIp11 44 178.16.53.192, 443, 49692, 49693 DUSNET-ASDE Germany 24->44 46 94.26.38.3, 2024, 49694, 49696 PULSAR-NET-ASBG Bulgaria 24->46 40 C:\ProgramData\BookBitsLibrary\sqlite3.dll, PE32 24->40 dropped 42 C:\ProgramData\...\BookBitsLibrary.exe, PE32 24->42 dropped file12
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/91811bf66185d1842b846a6f1f8fcde4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf/
Verdict:
Malicious
Threat:
Family.SOCKS5SYSTEMZ
Link:
https://tip.neiki.dev/file/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-06 20:27:22 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k2l4p3fxppgl2rmtwomc6lgqd2ofqbxraz25k6pgu4sgwyk2ndhq._file
Verdict:
malicious
Label(s):
socks5systemz
Create hunting rule
golddragon
Create hunting rule
Similar samples:
0254a41dbf2fa22e2089a469e0df44ff829387a6ae5c2f3b9911e2367f47fef4
Socks5Systemz
1a9b15b402ffd9217971c2d7f3512ec7a969396a6f985f8ca30160795d25acae
Socks5Systemz
28644da1a5215f3bd56b73024d901695c75c516b7aa337f6e27f3186cf472d89
Socks5Systemz
2f7d3121a43c63b018cbe92b3d7ec67514a4d546401bfb18991a9dd4c65fd542
Socks5Systemz
3fdd3133057075e3d3d3a4a12b1d350a6381f0192eec8eaa8f7888c914e83e20
Socks5Systemz
5b3b428c2625b3c8278b9b3a1d14002ef4760df42439db17efd3576ae952c6ca
Socks5Systemz
71a2c517ebca75a515e9d3adf45a27f967e6e42c0f3da2525088c612a2712339
Socks5Systemz
b56bfa3b2b15568250f21583deee3c5059f87fe830d4ce021deeaddfef880775
Socks5Systemz
error
Socks5Systemz
+ 27 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/251006-y8akpsfk3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Detect Socks5Systemz Payload
Socks5Systemz
Socks5systemz family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/437539aa-6f0d-4eec-96c0-0e99d8dafd5a
Unpacked files
SH256 hash:
5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
MD5 hash:
91811bf66185d1842b846a6f1f8fcde4
SHA1 hash:
61541489bb3280647476918e36403bd81078cd17
Link:
https://www.unpac.me/results/4a1a5561-f9ad-455f-bbee-f409d432a571/
SH256 hash:
471cf7dd5cdf8f516f49bf488ce4b81d1001d65cecaa86eb1ea0ae0ad719f187
MD5 hash:
1687daa5150dc60cf8cecd232a7fa965
SHA1 hash:
779a49be856872b16feec4d61b4a6a82051f7771
Link:
https://www.unpac.me/results/4a1a5561-f9ad-455f-bbee-f409d432a571/
SH256 hash:
9d882ab9fad9da713a3adb404c8eb9fc1dda966c6a758f5f0f6d8b4ed32a66b0
MD5 hash:
383f2bf3e7b445a5b22ec6791a48e12a
SHA1 hash:
e671c669bc0daec7cf8ec53336b2dd518292184a
Link:
https://www.unpac.me/results/4a1a5561-f9ad-455f-bbee-f409d432a571/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/4a1a5561-f9ad-455f-bbee-f409d432a571/
SH256 hash:
dc2a9644e7ddbc1220065ece8fb23b69f9cac29db0e297760d98c82587c82c76
MD5 hash:
1d378407f9665341c238691ce421a3a7
SHA1 hash:
e5220e8605f00a035fb19bc6c40490647eb1ddf3
Link:
https://www.unpac.me/results/4a1a5561-f9ad-455f-bbee-f409d432a571/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf

(this sample)

  
Link
https://tria.ge/251006-y3p37sfj7x/behavioral2
  
Dropped by
GCleaner
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/30875/

Comments