MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5
SHA3-384 hash: 7ac9d8d408e934922ca5567006d24578f28161f2d4ce8febc2567f805a4d97450d7640910e5738ee650d6cbdeebd38e6
SHA1 hash: 9f6412f9e99b77af5d9f2bd332bebc1d9844130e
MD5 hash: d7cf425dd04646c26cef205d6d9e801b
humanhash: xray-louisiana-oxygen-tennis
File name:tuc4.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'489'713 bytes
First seen:2023-12-12 14:36:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:wxm5D5YUyRe7VvZKwamjGKAVW7R+gSoASGm8PvsLMwzj:GRepZKwaS79SoASGDP0Qwzj
Threatray 2'858 similar samples on MalwareBazaar
TLSH T17A7633C43381D512D9A4CDF1F6CBAA75D767BEDC3C290A5430EE2E870B626DA8245F81
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00f8dcdcdcbebe00 (621 x Socks5Systemz)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc4.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466504/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Sending a custom TCP request
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/6578701318cffa73b1e3bd0d/reports/1763e070-9c69-4caa-bc4e-39c5e163c0e9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3b6318c8-dd69-4d30-b169-ba11628873b8
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361114
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1361114 Sample: tuc4.exe Startdate: 13/12/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 8 tuc4.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...\tuc4.tmp, PE32 8->33 dropped 11 tuc4.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\numGIF\numgif.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-RUCS9.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-NNKUB.tmp, PE32 11->39 dropped 41 56 other files (none is malicious) 11->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 11->55 15 numgif.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 numgif.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 ebbykue.ua 185.196.8.22, 49734, 49737, 49739 SIMPLECARRER2IT Switzerland 15->43 45 95.216.227.177, 2023, 49735, 49736 HETZNER-ASDE Germany 15->45 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\M74Bitrate\M74Bitrate.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 14:37:07 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=naleyi2urotjgpaoxigt2akmrdw2vdlejx7azozkbpyaouw4egsq._file
Verdict:
malicious
Similar samples:
38421ba7febc86f3aa01e3ea7bb8c4df120a475853b28965893616874d9af816
Socks5Systemz
559f8a7a1f4c0ccc7cd6cab1e2bac13a84131ac668a07a9bc71dc447268c00b7
Socks5Systemz
5731c0d01cffdba13b859214da517b204043008c544d01a6fa13e9ac745a4247
Socks5Systemz
79ef1ced91bb957d5df5f929743fd2497e593c96fee3872b0799aa11c1a46674
Socks5Systemz
9aa0ef1a32c41a0d8312d2eec8bb3babb52a46dd86335dcc30771c4626bcbd8c
Socks5Systemz
bb229ce945317f784599e1bcc255049641d0f902c80fcf2b68fb65ea247aacde
Socks5Systemz
d5529343798af623f3b8ec9d36ada7f0f7631b6c4948e230e02bfa1b6fa2e0df
Socks5Systemz
e5bc7de1eb5915db54679a6de4fe2a302a99cdc87ab2b80011d928f3a49d2bfb
Socks5Systemz
f6909e4f1face440239e3830a75c2ecce9689f19167bda1f81aeaa0e240be01f
Socks5Systemz
+ 2'848 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231212-ry5vjaeegj/
Behaviour
Runs net.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
ff42a2c9888a192727fb313d55c5add1f19c6857073adc4f21d197172f62b364
MD5 hash:
b51fd3392370caa617359bc98705b716
SHA1 hash:
f06e5c93e297ee0a9f0db342f3211639ae457ade
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/894dc79f-c57c-4059-8e10-803c4722ca81/
Parent samples :
8a272a97a90942d44d3eb0318c0117ae5d00131362057efeb0e4102f3be56225
5eb127ae2592ea15b9b77b158a3545b21db6e9d1e2f778a6eaee08846d6a1b96
38421ba7febc86f3aa01e3ea7bb8c4df120a475853b28965893616874d9af816
d5529343798af623f3b8ec9d36ada7f0f7631b6c4948e230e02bfa1b6fa2e0df
79ef1ced91bb957d5df5f929743fd2497e593c96fee3872b0799aa11c1a46674
9aa0ef1a32c41a0d8312d2eec8bb3babb52a46dd86335dcc30771c4626bcbd8c
5731c0d01cffdba13b859214da517b204043008c544d01a6fa13e9ac745a4247
559f8a7a1f4c0ccc7cd6cab1e2bac13a84131ac668a07a9bc71dc447268c00b7
f6909e4f1face440239e3830a75c2ecce9689f19167bda1f81aeaa0e240be01f
bb229ce945317f784599e1bcc255049641d0f902c80fcf2b68fb65ea247aacde
2d3d35989dd4598f5313a4287c065590958175aafe4be3dd0b92dd3f733995a0
802521f654bea747356d1ca36ea2e860949185b6d539b32e957ff91f7492b2a8
5729ad05362b4f632f274664711474862d4c5269a5447ca7c02e3a587bc1b301
d6131519aef4aef86f6c2080158b0481cb6e96511487705facbc57346582f400
c87938f6f5edecd3a65a04bc9527f8a1fde10f6bf6a385ac7942c264a1f4efa7
2ca831f1afaceb1eb7a66609f5bfea02b03ee27c3366d8cecacbc0653334966e
a6823a39dd28d65d82b73705af30cac57087f92a70d721c799773b7709a24e91
e5bc7de1eb5915db54679a6de4fe2a302a99cdc87ab2b80011d928f3a49d2bfb
1af3bfbabcd9d2c6ef589fd17d029cd8daa7596621c37ea5aa24552a8485bc6c
48e633cb377a20a39ef1a3d7b5c15c263daeaa95d1f4d0be7f9030df12abe70f
68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5
8ce99cd184067a933b71ef030f4fa696b50c256b73e42dc9a0e697ebad0fe702
21508ee2b3e8995d1b782b7cdedf91e2f63b8b126d40f22a4a781d5cf0418e81
b83690afdf5bac80c940951e5e19afec9b8411c59750a8880ae51e6cc69001de
398d131ce73ad5291e6fb7f732ee44e8eb1fea05f93f5e421885abe8a54ea18a
1af367c3c156ceff0dc8ffc25f3db8b9fc879a79339e73e67384d45ee618932c
83bcb86e029f4ab12fccc72706ec8239286003db7a5a3e4a95c16b6819086bcf
7c8b35ec69f562d8b7b06e015b4cab853bcee0819fa2385c25f2e55cf3b848aa
cb5cc7fcd4a9dfc522cc414e75ecce4369a07af7a4be8080470f8237748e7c8e
794c500bd84cb5d36826be47ba7e4d76b5bed57e55c7a7e9e6c68c94e3669f51
7ce27289f077dd7cea77bc9c8a20921eb86f43d5a9d06c148ddf5ae3f7f665aa
4e9620efa18e2fb509aa4e39b59be92954b3775f868852e12a5c677a1f72a51f
ce731aa7b4731298b8ed9d8634b43212c7dfbd1d4f5c47ece06734bef5e56fd8
91878be4457eac9dcff2156241aca4f50b351132422e15bcaa4428682d671e17
3f4e46843be8925558c9006b005906b1404fd8b38b768d39a98b3a88a19595ab
ecb5593477e7093e37df7bd7fec18603bcc6f787f6e66514c8b1984ff21ba586
3e9c8aef158198c51df68002b5ff977924b89f1896ecd9712e0d5f054af817af
75a382343dd9ec0f951bccb680926ed6f8271461639081cae97266159a610cef
c701b6503b3760e34ea984db7b62d2c113351dbdac74959f6c80c2e050650f6d
41a41dd134c5fe9d1d4fdfff35104354d7c8e51e7fa95c0ae9c7beb3f09b5900
06b6f4a28463d3ceed76b84721775462c9b74f61f7ca46e364228010dc020064
477e5b9ce28080ef08fcf97f79d0d2ed75f0ce651dabaada381b72c7d311c7e6
38bd3e97de69e66e91dedfd2db6e191e9c8123c230deecb8f82ca048f2fac90e
5ac1b68b5fb4e296bfae7e9064d98fdc7bb595cc8ce29b07682777c3fe141aa5
aa66499493a960b1a5f4694efca81798f779240e2d5e63d41e2e4461c9d2d5c4
9c852b078942263527d52bac843d2ca0ea7bfea0c02528b7c3fbe03c6b635baf
7a79c7f992adbf6ed46e7040aac59c1f03cbcc2b8a6b0c1038d9c224c06d8818
9c207782b404a5a6220933f11dcfbda6e3e7d26c35874296ee437f9a76d49443
72cb051b8ab0fd53c7c7c0ca35b81579f588a191aab4a55b7398637fdaa6f331
d65f865d5330394c5b20d4432c31bcc2f925e275eb357d0881c63cd05e6fdada
54789759d40d14214323a485519ba20aa78c5d364aaa7f676d44e4727d57715f
101f2bdf85328178ac94031a27ef1b1a0338951bc270036573030d046201dfcf
2cb5e8b2cd1bcb34b5ea2cf8f62e89119bdbea5f6a0a2cd18860f825a7073201
ea63119b7c21b5ceec1f4d146df0ee3ed4d90c5bb41a21eff5c3079d8cb5a16d
c2cbf29a2107362ff4a65c41b27b205fd73fe40959aa630c25a82954c54781b4
39d6ac7e43895ec98409dc38881d057b6f4422e205006b50e269eadd9ab7da17
4a7f9e5a8af4c2ad68203995e747531d8c4eb72436680f16f283cb6e80dd3d5e
7fedb2c8dc0caf746cd69b016aeac3f53cb1cb49c6dfe7367072a926a3388b7c
2b1fa98c699392045da405a7f2e33df8387397401ab06f7327c395bb16bcad69
75c97166f96f45c5afa3a37acc96c44d4f94f32e74723e3576e95e14b0a47289
2bfaa364d06c51f6dbae5c629d39b45a8a06caff3dac71ea630cdd791592325f
2a15da463ae2142e8e9e6f0f79fa0088b5e17e87fd434622c6c753af55a0b9d0
3feb223bc3245a04f3d3cc8cd613f39c118512e17be6a9afe2296fb50e28863f
4ad989f7d8b44927ada4033254851c6fef88ad7ce0e6c52edf363790fcf5def0
a0c7120694373df2e474bd7023932fc5d9b8194444aa8b0129c14f7e33add208
4aa9a19c79138c4aa47503b4f10ea4ac457084b07ce6175bc9e63bfb0b90681f
7d7dd152ebe74754796dc285970b9184ee46a5701a43b023f682eb7f6c605e0a
5f1f654923f83330ebb046aeaafaebdf473fd9d206d0959474f86447ec8fe4a8
64fe27a4499c35a704042eecf210105b62f4bafaaab4f54748786fe3b2baff98
fb7ede2ba292512a36b8e14d6008ae12ba004ee504042f83bddaaf7a896d0591
39902e346ffc1fd1c54beff8d830ab6bfc3dfb1dff4f8918cf98a03088556adc
76ab7911952fe4bd7e9d1485252e5881e3465b2f0d520dddb98a9749da01b9e0
b88a56ce3ee875f05f7dec7204e75fec219bd125a4740f31fe8dec56a0a6f46e
5d8697a5af2bab9d9a0743b1a6e3e57e12e10e5f527efda07b7259b9dc2ef1f1
59f99d97a139c77c9fcc26e8768f0c86aa8d98bc3546e0b8358e382712c7d49b
a4ef97ae985dcba4e8bff93e04732df48f1f92d59a608207113956cbc69b2137
12c04e03a6a84c545eeaa9f82d15c7adba73d5893c2bce4a1dabf77cbc98242d
6b9fea3b8a8bc51ade3066b55faf175386216ad3e9de4153d2a5486b18df069a
de639b3acc286d67240780e05e87b7725f3f4a6260b9e3ebe3dcf1c3bb478b9d
3dc13375ae54df3d02fccf040ae2a9c824d9b7e6e4f4c7d53deaa74bbe475c46
5aad783c3022428b09f1a37dc9ad2cb5261a31dd7e8b6a935124fd0b473a28ad
743e7330fcb97b0af4c3233c71e67e95cf6229fbc75e087c8f2d8101ee283d18
03d077483d23a5f0f5c6726d84a1f4fdb8054be356b3c78aa3e40d5b28daf9dd
9adc96b2873039384b1c7cebdfa9f92d09786c2c4a0386cac0444980c784281a
b54b24c1b607ea4eb5db107906ac87a0135ec067892660a314ff855a44572285
610340ec5f637257a32c81ba53a438568e08a4a13009c1f8f9176ee9ae81b326
fae00bff20dd434d37e1bde43b95310d20b05faf6bc5723aaa02522a298145a7
1b48c0918345b9095010f8b1767afac988f4af4c23bf8d9afeb09dc11385798a
23a678a0190d368f26b65b66eadc4c8512adda9fee9aa6cee69d126a39ab7247
44d9a04872edb6335d0b0047df6f3df616d8871d87a973fd360ebf6c5afbaf26
c73dcf2c962b21f9bdcbb22ec451e334c542e8f382cf2821bbb42608240161f3
ad8f7af6b0a2b700d9869d42c528c046448949a203f02e4b8ccb9da10b53142c
990df9f8e7b37bf3e71d75214410ad20bc1371bb1c396981cecd0c4a90915532
93f61a82f5107cc8c54a5d90cb00f04b95cb4b14a37956a4ee02d173b752089f
57de10f8c4f394e9df9e96acd038c227a93352ee223c8ac75d0202358b0dbf49
fc9e8e9c3b78e02e14a60d731f85772a62c84de9c3bceba2d3f59f1c121af885
08d1cc3404fbed8bdef533890fef313fb49fc8bb54ad84b7f5fcbc940284602a
b776694e9dc76bb381b91cb620d31f36d61be9d1c3a6c444dedf763a0b5e3b2f
3c664a84c72d0c180c261ede1e29eace7d7ea16a361920332562a5fcc99f5146
a3bd33cae1a1b78b01ff0ec46b5aad4d79255634b6ef3d2c1ca128daf1397e7a
c4028eaa38e6d2b69a3185701a83b9c19f2f1b0795566f63b4832d1ff0f97e71
279747e5bff04a79ae9dcfb6e7d4d30c1516c205c49ef7fdee2b2c107ee457dc
c32f36eba0d7801f7d407ff9cb3f39f2fe51643b3ec6421437383b3ed5bf070e
32adb45540473f14063ffc15e00ff16f0c436a59be13dbfaa9c0373aac40997a
4406a142438c583c0c626c2e64014756ca6a73bd9b022b4d15ab75ad0c83232c
b65e6e2d99156ef8762b28df62edd1463722bad826dba5fea7822516d232f2a6
44fd0525d007145c953745efbb134640e3f930388331930d808f805590dc41ea
6ef9ae761dbf33f36355b3c5d5614e087402da380b0676c5cf1d20a31c138122
39ea1244b02486b27c39c1cb2f44db12d107c91d35c0d01b7e1c5c4854a988b4
13514be65242215ad595071ff069849da7c9bb6fc88fc1f4524669731c38ccec
9e652d86019bc3bcebf4a49da2cf9acff2829e0b087e5bfe795538183e2e1723
bc8104f1772b4536066e79a22be6312a3ae73529d0bb7b6cad5334aa27a89f12
7a4f5e18663f7ea50ea5ed97ccde2bd8ea64a1bd27039d39567440cf68e73093
fe7d86d239642e4ca067ce2759d00d85077f6d87921e8a288719e9b46c6d2f7e
86f42efe3cd0a36e6ad292b70e06a40db0fdb96ba89a00ac8b14627d494d6a4e
SH256 hash:
f81487719ee9e78ff54537b915e1c150af1a3468676821763636643b555b0cdb
MD5 hash:
851f11c47b21a6f18ec43b291577553e
SHA1 hash:
d8330e631a7451f331247fb4a6b81d528c737a74
Link:
https://www.unpac.me/results/894dc79f-c57c-4059-8e10-803c4722ca81/
SH256 hash:
8286d199a3be1de1a3c208b1f35cfc9a1f69b82fd70e7941750f50d1fd9be5bd
MD5 hash:
d36c3493e40c710702756009acdedc69
SHA1 hash:
f9a4eccfa441690ba951658b522d2bc7bdf55941
Link:
https://www.unpac.me/results/894dc79f-c57c-4059-8e10-803c4722ca81/
SH256 hash:
5d3a84ea23f2fd586e8958268e77cd52fb66fdc509e0984bffa806e92d2c98e0
MD5 hash:
af98efbea989fa1e98ff94b33e4d6f11
SHA1 hash:
75330240cda9b05ab58aaf23fd75bf43f4d8fc14
Link:
https://www.unpac.me/results/894dc79f-c57c-4059-8e10-803c4722ca81/
SH256 hash:
68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5
MD5 hash:
d7cf425dd04646c26cef205d6d9e801b
SHA1 hash:
9f6412f9e99b77af5d9f2bd332bebc1d9844130e
Link:
https://www.unpac.me/results/894dc79f-c57c-4059-8e10-803c4722ca81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68164c23548ba6933c0eba0d3d014c88edaa8d644dfe0cbb2a0bf00752dc21a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc4.exe
Cape
Cape
https://www.capesandbox.com/analysis/466504/

Comments