MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15
SHA3-384 hash: 7f2147693a25d0bd6fc21400344ff54ee7c05448410f8c8cf9a6450d287953b245b3ad2545368b65f3f77abbd47efd48
SHA1 hash: 12c65adfa60de424dbf2aa0a1cc6fba9b25063bd
MD5 hash: 8e3161bdec7310b024db91255398f39e
humanhash: low-thirteen-tennessee-green
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:638'975 bytes
First seen:2024-04-01 21:43:41 UTC
Last seen:2024-04-01 22:26:10 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 99f735f47b2cd370c9d9f10c289154e0 (1 x Socks5Systemz)
ssdeep 12288:2jsgiZdvAeRw3+aXHv50cCleBqq2cvpzwnAmvRKLiTOkkRpZHD0kmiIjcBDfg5En:ksgwdvAOMP50cCleBqqzvp0nAmvR+iTs
TLSH T175D49EB13A0BC1FEC35A0474E853A603C57857F18B64E646EE6C7C7CCAA34A571D8789
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter e24111111111111
Tags:dll Socks5Systemz

Intelligence

File Origin
# of uploads :
2
# of downloads :
356
Origin country :
GR GR
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Moving a file to the Program Files subdirectory
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug lolbin packed shell32
Link:
https://www.filescan.io/uploads/660b2aa4d463a7b04779c8f4/reports/edf4e797-0a40-4d0c-b43f-9e1c434667a8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98f7603e-3aa6-4833-a995-b154be5b336f
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1418390
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1418390 Sample: file.dll Startdate: 01/04/2024 Architecture: WINDOWS Score: 84 21 Snort IDS alert for network traffic 2->21 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 3 other signatures 2->27 7 loaddll32.exe 19 2->7         started        process3 dnsIp4 17 bxtrwue.com 45.142.214.240, 49737, 49740, 80 ALEXHOSTMD Russian Federation 7->17 19 88.80.148.19, 2023, 49738 BELCLOUDBG Bulgaria 7->19 29 Contains functionality to infect the boot sector 7->29 11 cmd.exe 1 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 rundll32.exe 1 11->15         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15/
Threat name:
Win32.Trojan.Zurgop
Create hunting rule
Status:
Malicious
First seen:
2024-04-01 21:44:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpdgmy3oa7uv4xswzs2oslnw3q2qtbv4j7fuaglv3oxfhcvhhukq._file
Verdict:
unknown
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet
Link:
https://tria.ge/reports/240401-1lf53sga3t/
Behaviour
Suspicious use of WriteProcessMemory
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15
MD5 hash:
8e3161bdec7310b024db91255398f39e
SHA1 hash:
12c65adfa60de424dbf2aa0a1cc6fba9b25063bd
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/63144793-9b91-45b0-bf5d-5349b9c96c3f/
Parent samples :
320ccae2e9ae546c56193c24cb12cc54f29a872c08856cc143294dd2cf8a170d
63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15
c93e81abbf5a6cf82a908f3842bbd6a6df6e88457b3ac23702ff76f2c8fdb6b4
60185ad4f1d262dca113cdfcc63ff8eeeb576782adbe31d9aa4b10dc73c34109
224d54592663f9d211560fb295f3d21bb1297476a8d8df637a57a3abf7202e41
32c17a77987a902148db02445c13fde9f55a4df1d669cf1b071f41d2c2aaa348
44a806d2a1986c2751af875e9f95fe6092ff7defd3a41475d2bda32b8762d2eb
1bb97aa3463c4b741ab5d636af84f14ee885d617995af9992f7c50eb5a6e0f1e
bd27daccbe097bfd69d9662b43082ffb399bdc22a96755842d211d87e8742635
8bc054584ee3b66aff2b8cec6800ea984321036528668ccc3ac1defef08ac581
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63c666636e07e95e5e56ccb4e92db6dc350986bc4fcb401975dbae538aa73d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
DNS_APIPerforms DNS callsDNSAPI.dll::DnsQuery_A
WIN32_PROCESS_APICan Create Process and ThreadsWININET.dll::InternetCloseHandle
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileA
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSARecv
WS2_32.dll::WSASend
WS2_32.dll::WSASocketA
WS2_32.dll::WSAStringToAddressA

Comments