MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455
SHA3-384 hash:	86f14f3bef8898b76c90a33fb650904c13d57ad981e0830020c6781b023688c3c5b8e62c09f37d1eae277d5829024992
SHA1 hash:	6e5f8253a4ccedfe77538a107f0297aa9fe3fd08
MD5 hash:	f249f8461b2b1cbd81102b38a1de365e
humanhash:	golf-yankee-florida-bravo
File name:	f249f8461b2b1cbd81102b38a1de365e.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	4'498'124 bytes
First seen:	2024-04-06 07:05:12 UTC
Last seen:	2024-04-06 07:23:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:CF/eOnb/bsI7su9daLr1JjxgrNTQxSldarIN+UkWYFSik7x6QxZO:OmObjsksu94n1Jjxgr9MSlArINLk54dy
Threatray	47 similar samples on MalwareBazaar
TLSH	T151263322F6D3C930F1336970AD6546DC1A5F79B60237C311EA68454EED0BDEA4A2836F
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

abuse_ch

Socks5Systemz C2:
89.105.201.240:80

Intelligence

File Origin

# of uploads :

# of downloads :

309

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455.exe

Verdict:

Malicious activity

Analysis date:

2024-04-06 07:07:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b7d2d998-b5b1-4f24-b254-b87ce89cb63c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6610f45b15f64ac503523ec1/reports/d6a59123-f8d0-47cd-afa0-121359f4b741/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b959b4d8-d932-425b-8580-e2958b669a54

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1421247

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found malware configuration

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

25%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lh4ge6gnubz7btmj7a6yfdhgswqdf3vjecdaqmkwjwdc7t3gkrkq._file

Verdict:

malicious

Socks5Systemz

59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

Socks5Systemz

60185ad4f1d262dca113cdfcc63ff8eeeb576782adbe31d9aa4b10dc73c34109

Socks5Systemz

c93e81abbf5a6cf82a908f3842bbd6a6df6e88457b3ac23702ff76f2c8fdb6b4

Socks5Systemz

+ 37 additional samples on MalwareBazaar

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240406-hw3sqadg93/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

http://dddpgzd.info/search/?q=67e28dd86a55a428420bf81f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f371ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a658df716c2ec92
http://dddpgzd.info/search/?q=67e28dd86a55a428420bf81f7c27d78406abdd88be4b12eab517aa5c96bd86ec96844f895a8bbc896c58e713bc90c91936b5281fc235a925ed3e50d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c2ec9d9d39ce68
http://ejzfroe.ua/search/?q=67e28dd86a08a32d155da44d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f471ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffd12c8e897993e
http://ejzfroe.ua/search/?q=67e28dd86a08a32d155da44d7c27d78406abdd88be4b12eab517aa5c96bd86e9968f4d96148ab2865b77f80ebad9c10f7cb63037ed2ab423a4314383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c1ed96923ccf6c93

Unpacked files

SH256 hash:

3095fc041ba642383996896ca31a1c6d94111910bd39f9361224c41530bad361

MD5 hash:

b68e5a40890b1cb7d148be92e4471a46

SHA1 hash:

3099424285c12f8c04673958f6b46ee76c2fdc91

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

1f74cdf838957e8ec129ec02e24ff27653cbd1cd8a25504b13f702d7566783b4

MD5 hash:

d209a803c582c9f385684dcb0175ed40

SHA1 hash:

6849a104fab39013ace9a72878f0277f763a0589

Detections:

Socks5Systemz

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

Parent samples :

59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455
1795093f0f5b539c16a4cd62b94d897399ef2806b738af9b558bd44031677a73
e3a7940c60cc444eac152bf73714078aebc1c9e322f30a1dc83e3eb5d1c8be62
1cddcd51376a9afb24b5268c5a044b4dc245c094a086f2f332d5f35fde0b8ad0
934e794859a6e1d30d021f1af7b3a8b6ea99056bfc5e2cc1e9146b39bd07cabb
2eca091b98c0447ab906e07f9adaf0d7128825eb7381dea650a96413368cce98
3613cb0eaec9761e602b1c999de699c7316e110007295d4315b6911e950dba00
e81e7a88e53b0ee2d33b08bb31d0e4bc585f7322db6b9c9fc1fba83c5ae78b67
40a496eff69229cc23235b48513027be6b72424a7854f60899159de8e1a10667
57b0b2089bf7585d33311e40063481b8b0d8335560728453d9b0a4188bec6c20
d245ae1b7923630a25efbe794b4f6837adc54e3024b0c87ec8355c5fa7b51b9a
9120779debb8075ef30203285994dc46d3817769143d6f08b6cb1a89e234f3b9
948208f0e638786eb4ed0ee8cb9d062c0660e3482ddfa2bd276a869ddc3790f4
5ecd28f38e084ae35062a7ae46667ddd3d832243052b519f15cc04a85eac0f54
ab94752379e919059443d74e11f2adc2b0186bfbdf76210ffc0accd1a9c0b3dc
1655119040883feb256b1645581f9d7884a7c8e157d15fd7ccbc923d7e8a7778
18b8f970579c742ca263e8456fa22c8260d5512f69d593c3a7d84be80705ec08
075681f085776e64df7244b06045f44ba8ce90b5286012f4841eaf6b54b869db
9af60bcb43b67b54533b5ce9cd6853d97b1ef6d9f068541347023204323b1ee2
098a35dc7ec119ef4f9ee52734366b96942a5f594dd343a7763b63e188ef2590
e18d2e1a39b828e4c5783c6dc047da9271b36c171aec5171683ecf76c11b5a30
3bd90509166273180784df5a70804800285512f2de430bf16a6af0057ab26ff4
360ec2e6da27bea93778b93c93d9109f70d298544144e0dd19990db609c892ea
0e17ca40c6abf33153ab43e203fd8a50686128e55f0254e907f3e81864eaf118
6d57b846d065ebc93870f6a751b23f6ea1587c209187a542e0e0bb93beb3c77e
e1e932c3d4e0c5f7384a6e6d54eb3f911d4ac0c5371a06b587d45167b7d139cb
dd882143f9c146b917ded748edb3931c07fe03169735a6eb2473eaa643c1313b
280705276e5ab2ee6c95796e53f3336b90ec767f629531cf47dc04a545ff23ed
bc654338c06d1306797230d0501e1aa5995811576520e531daa651df1b5f3f84
f0c1b22af6ef866294aae9904aa1df3a63670910569941635ab4004d3b535448
3d6e7d86793a6812d02f9d32f59d44aa7a021568615ab25e8e3e5a6aa8b7545f
8df03e2d76dc2e82c4c02ff262caebe1049cbd692653efa5a12030bdeb834122
d67b47728a2140fd2d357128e6189d73f49e5566c58e4db0e2b0135b201fbd2e
20ab8e03414da5013554129a9ec42c692a498afa50daafec065c3ab995872bee
b409d205ae446b7ff2507e7ff4b5b4c9b63d76df8cbcda30407ee4d3d2bc7ff7
e688145845bb436a44a36a95a869e0cce86e71e234e7e4b7173bef1ea5f05ae2
ccc380c9278ae9b402d552a83c50555278dcc03b0371182785418cb0209984ec
a2fc29e11de24fb1347554e03aa1dbc0a4676e3ae8802afa0ae76c5094fe626b
9cd5ba5615b5540fc191f0bfc5ca8d08520d518e1c1dba4f6bac361ed0d0ad6e
7b9cb016fc6b64347160a352dae8e2c1b501f46d651fa8ba510911cc283e2d14
dddf2b2a8c33711b013388be3e01b132738e15919b2396ad632592047eb677a5
c8d346a0d9dcdcb921a659ac9338e9aeff89e9b9e5513bc61a0d358a41a3d7a2
fd186c526a1db0687e167ad92714309ba2f622661facd64c2ea2b988204401b7
4c08f8d77f5f5c84d67fdf0a51122aee3d46d8e78e988247d1afba570d6dd635
8d33c4fde4a3e19fb5a339193836d3a538c3ee709ca7efba6fe491a64680ee18
4094d87ec10dc1c930f041f1b6541fa2972f07fa3026ab6c689bb721d6440160
6e06d87060a7873a05fa95443f075fe05e49c8ab8189a570033a7dd5bc5acc0b
3ddc9073f90b9afc0ca6f2cceaa102bb44f89e421f2b1a03ce8104e6b7108209
2eda060aecf449871d3727f48dc3decbbc51574cfabf11dda96858c11b47a28d
af8a8538d5a6b64cb54599e62a91919ebd8043102e768a55c9a66fa29849018c
939e3446fb4cdcb4ff509634f401167a18275851bf7fdfc7d33de7b4f2077c7e
e5b2dbeb9458d7b686e9feaa81b8de24c348af81313dae5f50fd98a31defc44e
eb172af483fb9d1e49d9248c596b3c9509a5242b3ab97e8f5c1c1b6eea7db6e3
d69639d8748700e69c1b27f3a78d28ae093da8631a80691e2d91615a57c5e3f9
a6f1f5bd70df52b1c12b29d133d94a892b4b654aeb57c25b958e0eec2a698626
5471afb5e524e60de857ea9636cd2197d5d936ad62697a5245d6371a84cc46c4
a42fb35663dabe8ff2959cc8be2082a288681b3ac8ef2c772c1e7b356dcf432a
9c21afd731160bde19d988b015287e37c11337578767bd4f0bedc4359c7dba77
276b94ddf860ae055c5bc445f7c99e714229cf2cb5ceded9fe2b41849e72064e
6b251b357a4ff2ff8fc367c082918f11872bcfc6ba6b69059c0d876de53337a7
208f0af12ef5b3bc47e552804e7cf255b56044b025c88ffc2f6bba4cd3576362
2b1e80f669c3006adf86cd9314a06c46c5ce71ee8bb56d343a1a6a3b26250c64
4c02dfabc290e94364fca573f0e2a9631eb5042e4f6881d2b9b0784f0e7235da
fb2bcf07adb62ba76d441eae8ea5adbbc37dc4d5dea66e5fd1ab85c06fbf3efc
7e847076f8560068061420c672135ddcc99341b0ce5d80b5c98f234269d55b3a
d9550d4c11681861c7596334d1c63398826b790751aede4f68edb3f605f627a6
8fc201090d34fb3d4a9d1dcddee20c0acbd0c389051d7e5d5a0636c77868e72c
016bafa425a7059d11b7fe26ab27ee2a67856ce0ca69942822d67477c51370d9
cb8ad948a9808706d763691a202b5ffe8cb2a3d4188b0782a0605fb85956a0d6
388db14e9fdbe65fadf429c08b9cb8d32e806105736a16f97a79b912f13857a6
9c0151a17e929d6de857367cb47fcd146713b5a73a54a7469a8d3ca5cc7bf3d2
ed707049234c4794563e0232662dfa73978a532cdaf08beb3b6fc0db0e1b2b08
3451be7dc55538d44ff27d0fd349df6fa954bcb1b235da5e4df60f80d825491f
8c1b19d81a6f571641a9dcc1ac6b88302d1d06f1e1c417b4d01e618c58c80135
7b618b6ec494159dedf18de3074fe60a8571bd69f714a457ea3e10637f61d0aa
9c8271340f2dacad0ee15a97d9db831eab0928bca99b17d2733f2ae82d41fa30
e79c8fe1cf16c2d54a6f5115fc89113befba1a26f827a5ce05e56e8512bc85af
f4969695d2254e3942c65ea612d8081c9e03721c7df77c42dc83994119581e8a
a3f5cc3d35bc13597d7d7b9776e0f0e597f00dac3e6cc4c6512cd180019294e4

SH256 hash:

e4d293050c57b298b450b7c6d45e90287f388292f78a2754bdea4043b7e9a230

MD5 hash:

3d7d8c30d3a416e8727d0451153ec92f

SHA1 hash:

a6f795e4dfdab3591af68a9be15169edb0b0bbd9

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81

MD5 hash:

4ff75f505fddcc6a9ae62216446205d9

SHA1 hash:

efe32d504ce72f32e92dcf01aa2752b04d81a342

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

22ec3a1640023d19f1478d37e7e465d2f68204270f589dbaddbba81694d03eee

MD5 hash:

3cbc030b945c954756b8981f0852f701

SHA1 hash:

ca782b51f385f7645dd77a165f2009757ea3bf60

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

875e4f138ff8a571d887037705025a67fed32fff3f951efbd609422168a11f10

MD5 hash:

82b12dd5850bd5b132deb9237c59e6a2

SHA1 hash:

981e12fec7c2e1555575ff232d1d37f4320d8611

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

6d87f0a7ee38875234467dacf91b3458b3e57acf3eb23e9a16bfd3de70261638

MD5 hash:

e2e0b6451564343bfa2019f68c3ad471

SHA1 hash:

42b28ac1c8f243eb8431322d0e3b06585fc19feb

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

SH256 hash:

59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

MD5 hash:

f249f8461b2b1cbd81102b38a1de365e

SHA1 hash:

6e5f8253a4ccedfe77538a107f0297aa9fe3fd08

Link:

https://www.unpac.me/results/959284bd-d0bf-4268-bd27-b9a850e1bd68/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Socks5 Systemz

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe 59f86278cda073f0cd89f83d828ce695a032eea920860831564d862fcf665455

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2801789/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2795657/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample