MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6
SHA3-384 hash: 9c959afb596866f7b3a24346fdd591a5957bd6373cba4cec0303eba5d4ea0e9e799d162f6697b134613b9dc19fe74122
SHA1 hash: 16d0ecde1ce1c35449e19f4afcbb34f3972e28b7
MD5 hash: f9789f15b5c3e345601a05456a656c4a
humanhash: salami-golf-blossom-twenty
File name:tuc5.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'524'193 bytes
First seen:2023-12-12 17:46:02 UTC
Last seen:2023-12-12 19:40:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:dxm5MctdEEAJTpMEa66Ey+/xwAB04awWOAQwlCkzj:vcjEEAJWEh65C30GW9lCkzj
Threatray 6'604 similar samples on MalwareBazaar
TLSH T1107633C060F4C2B4C92D9FB0BEA9C4729F7B84F91A3CD37A0698D5459A3C6DB294C749
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
dhash icon 00f8dcdcdcbebe00 (621 x Socks5Systemz)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc5.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466895/
Detection(s):
SecuriteInfo.com.Trojan.Siggen22.33825.26207.13332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65789c603636548f374d094d/reports/79613eae-b620-48fb-8b1e-657fe0982fc1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1360540
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1360540 Sample: tuc5.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Detected unpacking (changes PE section rights) 2->49 51 5 other signatures 2->51 8 tuc5.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...\tuc5.tmp, PE32 8->33 dropped 11 tuc5.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\numGIF\numgif.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-VNA83.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-J8TLI.tmp, PE32 11->39 dropped 41 56 other files (none is malicious) 11->41 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 11->53 15 numgif.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 numgif.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 bvddbtq.com 185.196.8.22, 49711, 49712, 49713 SIMPLECARRER2IT Switzerland 15->43 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\M75Bitrate\M75Bitrate.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-12 17:47:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k3fqfidbt7hlamfxhi2o3ljiwrpprh5bkdr7dtmgc5oocpgf4dla._file
Verdict:
suspicious
Similar samples:
0938e5f3540b7985692ebbc49dd3e7f39b561141db8c2576eb3e1aaa082750cb
Socks5Systemz
2d96fcb29c8afd690019bd961953f26c19905361702a862dedec8369ef6828b1
Socks5Systemz
3acf2c1bad8ef46dcb7ba898abad1b0a0012164759df84bade1bef2967341575
Socks5Systemz
499c94fe0364aba89ec859f214efe9259821a6bfbe288ac3bc0c43cb5f1d29ad
Socks5Systemz
891ff05b97623364615b1f282c08ed7c6500f6ead9bb201bb53852ccb4934fff
Socks5Systemz
9d7e4ee516314a73a5b26f4c7616a8d392e7258a6e9c0fbae787ed8ec884204a
Socks5Systemz
a5f0e1589e1f877d9c928d4aa3da0c06e6a7b02eaa459f3adc36cf602bdf78e5
Socks5Systemz
e40ee16a91fea2e513f9f66016cc2d5d9a0ab74034a95195d671ae924419358f
Socks5Systemz
f5f35e70e4c8a7296b652281450eae04cacbf73c8aa06b628a7113bc8479b428
Socks5Systemz
+ 6'594 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231212-wcavgsahe9/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
8f46560bace4461fa81330a6fae23c3518775ab273cc7682886e3a7da2eda754
MD5 hash:
48099a177870feab66ead638a05e52c0
SHA1 hash:
9e6e6198af2e31999a818122e2f7dc0a45973833
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/0b587cc9-de7b-451a-86ed-0d262d4da423/
Parent samples :
e43b8f5b828834328e8ed09a57d469890e9597448e05bbb880b1a86bf0920d30
2d96fcb29c8afd690019bd961953f26c19905361702a862dedec8369ef6828b1
e40ee16a91fea2e513f9f66016cc2d5d9a0ab74034a95195d671ae924419358f
3ee5c5a8fb884667eeca6c3299baa93f35852fdc27cec2a30e16a94345383e7f
3acf2c1bad8ef46dcb7ba898abad1b0a0012164759df84bade1bef2967341575
d31de10b34c8a596a090eaba8a25d5ece3ea0d8afb25473b5ec032bd514546b4
cde18a3601e637d5c6c89371b78ebb9f6be5aed77fdd2710840aac8711a6262d
3f5a008c7f943808a65f16ac46abec1034cbe6d875964105e87cf0f09444fc7d
0938e5f3540b7985692ebbc49dd3e7f39b561141db8c2576eb3e1aaa082750cb
afcfb89537e80a7d09cd0ab6159ffca3ebb3050cd1f0266aeeea65dab87ccd77
d69f90fa32d6a54f57f499451514d9b7d9ef1fa63e60802a49468c08dff51551
4537fe87afc786cf37fe4b4fb82f3fe0f503b1811d9a3b543a12811c5626288d
f5f35e70e4c8a7296b652281450eae04cacbf73c8aa06b628a7113bc8479b428
497bca68183a7656c1ed78cc5ca8b69cfd7489b338603ead66e163cfba5de947
a5f0e1589e1f877d9c928d4aa3da0c06e6a7b02eaa459f3adc36cf602bdf78e5
891ff05b97623364615b1f282c08ed7c6500f6ead9bb201bb53852ccb4934fff
499c94fe0364aba89ec859f214efe9259821a6bfbe288ac3bc0c43cb5f1d29ad
e73366684d2ee6e9e36a34ed8caafbcbd69a718b996d9cb5435191334c1a41b3
33044c6122ab4a910bdc15e6fbbca8577aae01f08e305079e3e3f0619b67b578
720050772a8ee9ec77b46f7dba7eb1fcb127239c40eb4bc493b7938435fc79f4
56a1e77ff0166ab00620fa231dcfd56395bf6701efd047c957647c5ac01d85a7
9dff31b54f61cde3f68092bbb012a021db36dc07d5437f22bb20024d09b359c4
16ddd6d50312d27e77665ae3e12e73c5abbdf0f7dcb89d44c9f048ffaf5d5a22
49e6db7fd45ed35aa7c5ba788ba97efca2b47d99304bbdca11ea82bd1d762699
0790b8f5159907624373bca1ffee0e9be36fad41ae22daa9cc729888e3d6b7e4
f66a5a17a1779de5bc6052e90083dfc3ffef779a0bfd886b70fc8727000cbdfb
adad436aaa855116bc988f27836476610c3f431c2388b103d0145b1df01363a6
f93298a5f53259cc44a332a8c332c2aca5280d8c04fee790fc3c7a340b12247b
272d1e60cf954e34f3a0065a51c0925e8af40b8bca7fb1820d1d44b1bce75a00
9d7e4ee516314a73a5b26f4c7616a8d392e7258a6e9c0fbae787ed8ec884204a
6a8b563c454b3162b34678f5308914d73c5119030cdd848bab50d7b19f903f69
0ca2d5a9b84f47037aaab114d83f76f4e564fe6d777094a7e9ced785e8b42bf5
6363a506fe554016fca9256e0f39264561a67e0fe3b9928a38da116fe482bb9b
25896e814b02821b26c33b747cc776e6f872df6eba5a3f865187d8b3d0423f39
819bef33e43a3c2c955a9fc296d64a7b5015c7a384a3d9730316bb3bcc91563e
83ebc0522cc0f2c4541c38c6924781b38c3ce0cb8564874e2c195e725927a8fe
d64137779c114a0fa4b4c59397c71bfa013878e172b5367f5877a77cd355488d
d9bc37179d23c44f9f3fdfb2ae0f8409856153765061e73d1926138d2a47c4d2
7901832b921a5c956f0967c180d8223d248452845fe19b46b57818be3c37eb1a
a38def9f6688c6caf41c19d54e59b02c450dabb886de19bc2dadeae09500ea2e
3f83730a7f673f6d0058f12f191c5d5888540e2414e9e6cdf6a5050e14275fc0
d6280f57614752cc2b38208b41b4e4adb64af9061f9f04e37b81900a5c5d47de
ff1bea205be952622a7ee6de0ad1e5a6d6373f0c076558c350a86cbe0feb7e1a
58389093be531275a2c8a11336407a731be65b059102f0047b30b3cb10c13078
a979bcd2acc84506b5db935776fd79c67f5b29f2413241530c134bbfa0c7e1ae
7cc440293b343ca4cb8fdc7ae74e58439c1e23b026b3c5e361c4cbcbaa53779b
c9d94e150f2a97672e0cfba505719443e1bf8925a67622892c670fafa74c54aa
46b6c8f8b7aef878c46c161f26f116cdb5f6bdd701a618dae283df64a465532d
1c1aceb796d908382e3ade3ef94d2f7bd3c7bbf3f8e0acc18b50b9660bf5cc51
7eadab75fa8aad8bdcde535796cb765cbac4b9bb348e7b068eabaff458626e39
4ac2a2998c6c29e77d5d6f3de64a3c7d62dd335cf9bb1541fad8d96f50b93b1c
2fc15d56a20f3f66ccc9b87fab8393df5fdb34724415045aa01043de2eb0693d
9b150149320f33d8f0d27682e795f4222b79025dac4853d6e01dfddf3c0e60e7
b206139a51823ba77e68dfd197bb7682137f96d7e444c98baeb1eae0c656e6ca
ee1573d4ee9a73b7de875d1ebee427808f4b5d1453d367060bc23b59a4a305a2
ca26402b6d72ebb089441373f34ca6d9b05cce9cf547c39e99afb360099d70e5
89379a3c0c1365f6d1876ffbee765e80f556d52b38f3bc9163203c51d39ea54e
19e99a9e51daaa1e0f517334c09d8e693f7e9505031e0d71cea817779b4ca038
d3b2bed70f8f93392b9779f02b95cb188c09c708c8bf8d11236d18ebad74bfbe
205a5b6873e5e2fa716d26b119633fd76912dae490c631e19825b2b683913765
3c8f12deb0144893079c036a95f8e6a63bb0e84dd9cbc6cf8e48c3fc1dad439b
5c35cf858052747c545d414c1bb97a1521dc52626bb20ee2f2c3db2683f9e5be
4fee7ce0dd44e78b4e70cf03c366dc2cd9fff9bdc671bf605c381d4eda9de4e4
528da9936f01d58d155b7345042a30dd1e95963a7b6e968bed6c6cc6c30895d7
f24c59db26ab1d06eb94ba02863532575e2377e1c1f23c19e18ce59218e1f33a
ec2e1bc1a7e526e6e3dec6ab3359662be6bf129c62bda9addb110d3d9e302f19
7f315eabc21f7217651f667e46f50900de8794e94f96275678c22c435fdca2be
ca18f5c93bde70f712cfe4e06a893a94e1f1362ea9d3887629c60c2b2da25479
f083c94cc3531b96f62b12c23f59bfca22b0db8da81473b2fcc248aa4e1527eb
dfbc5dfa7d7eea0fad3ae2aee2aa0a6b0e80ea7b93d21240f964d2445f3ef820
0bc81cdb4eea39b8d18db1af71ddba1c58ef83937bf7d0208a58e048d0881c85
86ab8b98f35945ab2793f5ebc44955eb7597abf0980f9f4fe703981d855d41ab
04963f9fe8b57711095cd47ca17c58255d7ff6e4e5678e5e5996f972bf995430
7090135cb7c155b5c166b4c0a1d0c3effc106e047c5107f269e2febf8519f55d
a5d5a11a2774986acdd77d0fc40bd69bab8b40b72817717b60681ac9c946f236
ae0ebed4fb788cc4de09a07da9ba3442038d3cd95974f3e763a50b6b99a9a328
ce8377c4f5419adb8c0195e7f132fe1d0577f7d73e4ea4bac0dbece3ebfa0733
65c9b058f3fdb7219dadac3da35429b19a484d5c7da16e0ed7a83c8690f8ac13
1a1b7478f2489ea54cb8b36bbeb4e7cbb5f4fa1f63879b7539cf6cd5483e3049
d5720011761167d842312818e6c570ab95e74f35cd1d87e732bb485e9e9253f8
518ece825e4490da00baab813aac731734b1a871abcd46f047da455a61ec9f74
24ceccea7c2075d236fcdb9e5a42b258ff8c428f5ea4db8d38212ef4df2e5afd
6cb7c9b7e034a459a03ac4e74af6fa515077a754e611e9e5eba3791371f8471f
02e5ea679f8338c700f7619b22e0bc31ef6c8571c254731764b5eb5ef18bc872
a79170a777a393a0c00319d57bbc78870a7bb9076080e49529c196dcfa0b37cd
3af679bcf2ee10aad8a904c1817ca40ae6092cfac42a92b4c8a69e51930e7809
2854950f34f7841f426845fdb9dc791f7df286417de0253c00db5cccd0beaf27
8d08141ae134ca266ed9a13037ec29a1b85931657178c7342e5c57de6bb9d2fb
480ffa0548fc99b6313a83ff4576fd92b8c5ba544e46efe0ad4b6b18b5625bc8
0044b5ab7cd30786d9f87540a49fb506256d79b8d765ea2b19d990f862103d1a
e2cbb2517d01aa78f8f0f0d8773f1438405fa0bfa5456633c4ec79d653c12bc6
eb41286559a729b9172e98449a238c1810ed7fbe7d0af10f9a1e79512f7f8bab
c26599e6a2b8910bf50e5547904099b5cbe1d590852eccd874d18b419784c21f
56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6
8b0cf8fcc305c6a8f5f83f5f1927513f2629aa6f8b206fc7ff46b0bc092ae07f
ba9845ee5f164a9c90fefc98d55a0df9eaf177a4f4a8b51b1ea28596c06e2087
b3a039f866537fc49c29f3e014da7f8d1ba87274bf86aef308013b654cdaa0d3
e0517eed59bdcc6332bbffc5862ff5a842049740bf13e129cffd89162221786c
6c3aa0137816dabe64d3bdcc6e2049640efdf377d683d2dcd2ea1703e6b317ed
f8b0110307e036d5bc89b9e3190c292b63c7f5b9e6f840c06dcf414c1ce71663
cf107ab5dec947d4142d8c920c3b7474fad4d31a6afb17e36653413819b0fe4d
0856d56f195d0ae4afa3bebe46bde50d74ffef7245d51df059dbd79de2bf6d0e
a6a9a1a14a125953905af4e4b400bff3d84384139da911ef3be4de5a968269a4
64141fd2164f37fb88ffcd9acb6c501ab09292984037762dfbd5425e6c99329e
fbbd6372a3d27d209b12aa43b3bec2a34dbd1609711ee2bd1cc08020b927319f
cdc0a0e628d0c379324b6e5fb12f0b9568198d35d970068802f3f277a43e54e5
68b3e71d2ade54dac408a907350912db828036abaae24809fb65abb950b8bd66
600d2ceae644d07a0cd6087675ae9029c0b9ea0e5a8eea446e3acb76380f388b
9bd2e02202b0ae7794a7201e520c1d7d2690fbe80296ab679f6e0093704a8569
2a90656890e18b020d0a52868b77cb2f5c6eef1fda84883fc90d8656261b5a23
2a9bf5f04bef2eafb1638e60c25a0820da3f9902dd098e791ac86ead5bc56b4f
aff7de5bc2ef8264feacc665c770d1495da1da4fdcbc089686bf8bcf9084a5cb
48e7efe4c3b6d87553ddf2f18be8e529a3766cb3db14e9e17b1f7a61288e0171
SH256 hash:
d1286da2332f03018f97ce332f9b3ea0963088e2ec105e6f2ba3acaea00560d4
MD5 hash:
5e46d295989c1e038ce5202a45a591b4
SHA1 hash:
46ea548a01d0e35d655a9cbcc90671fe3b5bf06c
Link:
https://www.unpac.me/results/0b587cc9-de7b-451a-86ed-0d262d4da423/
SH256 hash:
143704c1a6a6ef7b8056b801745365cb8e75dde9e354d60d3a24245836d50e49
MD5 hash:
b9cb3b2df1ff1a18c170fb9f9a469799
SHA1 hash:
e8028f35c33ecbb5e5cecd13e288110a94841297
Link:
https://www.unpac.me/results/0b587cc9-de7b-451a-86ed-0d262d4da423/
SH256 hash:
323f555793af5bb8c5cae0e655fa2104c638c9bea480f52261ee2e0501476561
MD5 hash:
a4a65b014344fcce064412bc59ff6881
SHA1 hash:
9c35f49f2c6b11fe35d5428e5cef7cc4409b453c
Link:
https://www.unpac.me/results/0b587cc9-de7b-451a-86ed-0d262d4da423/
SH256 hash:
56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6
MD5 hash:
f9789f15b5c3e345601a05456a656c4a
SHA1 hash:
16d0ecde1ce1c35449e19f4afcbb34f3972e28b7
Link:
https://www.unpac.me/results/0b587cc9-de7b-451a-86ed-0d262d4da423/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56cb02a0619fceb030b73a34edad28b45ef89fa150e3f1cd86175ce13cc5e0d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc5.exe
Cape
Cape
https://www.capesandbox.com/analysis/466895/

Comments