MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1
SHA3-384 hash: 9d926a102d7bf1b32d656b6e0704b6eef14f5506c4e9db88958b05b9f27341016784f73cfdf902120e7d0e20ad36ba54
SHA1 hash: 018b6c066c915ba37616661f86c09e453d58fd66
MD5 hash: 72025394a2450241bce7df7e305cd07b
humanhash: black-saturn-oven-potato
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:5'120 bytes
First seen:2024-09-27 15:50:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 48:6iHpgJkhMKfgrJ/J4KK4SRcMnZbECSaM7/ttOuliL/qXSfbNtm:TH+zCgdinZbq/Z0LxzNt
TLSH T142B17301A7F8062BE276877819F3430223B9F756CA63874D64E8232D2D357504C43EBE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter jstrosch
Tags:.NET exe MSIL Socks5Systemz


Avatar
jstrosch
Found at hxxp://103.130.147[.]211/files/2.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
383
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-27 15:57:07 UTC
Tags:
loader opendir stealer cryptbot lumma adware neoreklami xor-url generic
Link:
https://app.any.run/tasks/fb24463a-1c34-49e3-8b44-85c9d260bd1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.20542.1256.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f6d4724b14762f62124fe8
Tags:
Execution Network Stealth Trojan Autorun Gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Creating a file
Connection attempt
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Connecting to a non-recommended domain
DNS request
Creating a window
Running batch commands
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Moving a recently created file
Sending an HTTP POST request
Launching a process
Creating a service
Launching cmd.exe command interpreter
Reading critical registry keys
Connection attempt to an infection source
Enabling autorun for a service
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug evasive explorer fingerprint golang installer lolbin packed schtasks sfx shell32
Link:
https://www.filescan.io/uploads/66f6d46ef741081b7c992893/reports/9aa877da-2959-416b-8bf9-93f0d08cf674/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86a9f260-268c-44cb-832c-b21afe910f2c
Result
Threat name:
Clipboard Hijacker, Cryptbot, Neoreklami
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520655
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Creates files in the recycle bin to hide itself
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops large PE files
Drops PE files to the document folder of the user
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies Group Policy settings
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected Neoreklami
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520655 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 180 fivevh5ht.top 2->180 182 www.rapidfilestorage.com 2->182 184 7 other IPs or domains 2->184 212 Suricata IDS alerts for network traffic 2->212 214 Found malware configuration 2->214 216 Antivirus detection for dropped file 2->216 218 19 other signatures 2->218 15 file.exe 17 10 2->15         started        20 Install.exe 2->20         started        22 OpenWith.exe 18 6 2->22         started        24 svchost.exe 1 1 2->24         started        signatures3 process4 dnsIp5 186 176.113.115.95, 49712, 80 SELECTELRU Russian Federation 15->186 188 80.66.75.114, 49704, 80 RISS-ASRU Russian Federation 15->188 192 2 other IPs or domains 15->192 142 C:\Users\user\Documents\stories.exe, PE32 15->142 dropped 144 C:\Users\user\Documents\setup.exe, PE32 15->144 dropped 146 C:\Users\user\Documents\dl, PE32 15->146 dropped 152 3 other malicious files 15->152 dropped 200 Drops PE files to the document folder of the user 15->200 26 setup.exe 7 15->26         started        30 stories.exe 15->30         started        32 Channel2.exe 15->32         started        148 C:\Windows\Temp\...\OmqQCLf.exe, PE32 20->148 dropped 150 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 20->150 dropped 202 Creates files in the recycle bin to hide itself 20->202 204 Modifies Windows Defender protection settings 20->204 206 Modifies Group Policy settings 20->206 35 cmd.exe 20->35         started        37 powershell.exe 20->37         started        39 cmd.exe 22->39         started        190 127.0.0.1 unknown unknown 24->190 file6 signatures7 process8 dnsIp9 166 C:\Users\user\AppData\Local\...\Install.exe, PE32 26->166 dropped 232 Multi AV Scanner detection for dropped file 26->232 41 Install.exe 4 26->41         started        168 C:\Users\user\AppData\Local\...\stories.tmp, PE32 30->168 dropped 45 stories.tmp 30->45         started        174 fivevh5ht.top 84.38.182.221 SELECTELRU Russian Federation 32->174 170 C:\Users\user\AppData\...\service123.exe, PE32 32->170 dropped 172 C:\Users\user\...JHyLWEeahvDVRfzfOaU.dll, PE32 32->172 dropped 234 Found many strings related to Crypto-Wallets (likely being stolen) 32->234 236 Tries to harvest and steal browser information (history, passwords, etc) 32->236 238 Drops large PE files 32->238 240 Modifies Windows Defender protection settings 35->240 47 forfiles.exe 35->47         started        49 forfiles.exe 35->49         started        51 forfiles.exe 35->51         started        57 3 other processes 35->57 242 Uses cmd line tools excessively to alter registry or file data 37->242 53 cmd.exe 37->53         started        59 3 other processes 37->59 55 reg.exe 39->55         started        file10 signatures11 process12 file13 156 C:\Users\user\AppData\Local\...\Install.exe, PE32 41->156 dropped 224 Multi AV Scanner detection for dropped file 41->224 226 Machine Learning detection for dropped file 41->226 61 Install.exe 1 41->61         started        158 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 45->158 dropped 160 C:\Users\user\AppData\...\unins000.exe (copy), PE32 45->160 dropped 162 C:\Users\user\AppData\Local\...\is-ONC8V.tmp, PE32 45->162 dropped 164 15 other files (7 malicious) 45->164 dropped 64 gerdaplay3se32.exe 45->64         started        228 Modifies Windows Defender protection settings 47->228 68 cmd.exe 47->68         started        70 cmd.exe 49->70         started        72 cmd.exe 51->72         started        230 Uses cmd line tools excessively to alter registry or file data 53->230 74 reg.exe 53->74         started        76 cmd.exe 57->76         started        78 cmd.exe 57->78         started        signatures14 process15 dnsIp16 244 Antivirus detection for dropped file 61->244 246 Multi AV Scanner detection for dropped file 61->246 248 Machine Learning detection for dropped file 61->248 254 2 other signatures 61->254 80 cmd.exe 1 61->80         started        83 forfiles.exe 61->83         started        85 schtasks.exe 61->85         started        176 behxbse.com 185.208.158.248 SIMPLECARRER2IT Switzerland 64->176 178 89.105.201.183 NOVOSERVE-ASNL Netherlands 64->178 154 C:\...clipse IO Library 9.27.47.exe, PE32 64->154 dropped 250 Uses cmd line tools excessively to alter registry or file data 68->250 87 reg.exe 68->87         started        89 reg.exe 70->89         started        91 reg.exe 72->91         started        252 Suspicious powershell command line found 76->252 93 powershell.exe 76->93         started        95 reg.exe 78->95         started        file17 signatures18 process19 signatures20 194 Suspicious powershell command line found 80->194 196 Uses cmd line tools excessively to alter registry or file data 80->196 198 Modifies Windows Defender protection settings 80->198 97 forfiles.exe 80->97         started        99 forfiles.exe 1 80->99         started        102 forfiles.exe 1 80->102         started        112 3 other processes 80->112 104 cmd.exe 83->104         started        106 conhost.exe 83->106         started        108 conhost.exe 85->108         started        110 gpupdate.exe 93->110         started        process21 signatures22 114 cmd.exe 97->114         started        220 Modifies Windows Defender protection settings 99->220 117 cmd.exe 1 99->117         started        119 cmd.exe 1 102->119         started        222 Suspicious powershell command line found 104->222 121 powershell.exe 104->121         started        123 conhost.exe 110->123         started        125 cmd.exe 1 112->125         started        process23 signatures24 208 Suspicious powershell command line found 114->208 127 powershell.exe 114->127         started        210 Uses cmd line tools excessively to alter registry or file data 117->210 130 reg.exe 1 1 117->130         started        132 reg.exe 1 1 119->132         started        134 WMIC.exe 121->134         started        136 reg.exe 1 1 125->136         started        process25 signatures26 256 Uses cmd line tools excessively to alter registry or file data 127->256 258 Modifies Windows Defender protection settings 127->258 138 gpupdate.exe 127->138         started        process27 process28 140 conhost.exe 138->140         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-27 15:51:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ngyvhtlbo3lzbuvk4n6myvqaxxshlihmu3i7n5jruhqebvclztiq._file
Verdict:
malicious
Label(s):
smokeloader
Create hunting rule
cryptbot
Create hunting rule
shellcode_loader_002
Create hunting rule
socks5systemz
Create hunting rule
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:cryptbot family:socks5systemz botnet defense_evasion discovery evasion execution spyware stealer trojan
Link:
https://tria.ge/reports/240927-tahffasejc/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks installed software on the system
Drops Chrome extension
Drops desktop.ini file(s)
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indirect Command Execution
Loads dropped DLL
Reads user/profile data of web browsers
Unexpected DNS network traffic destination
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
CryptBot
Detect Socks5Systemz Payload
Modifies Windows Defender Real-time Protection settings
Socks5Systemz
Windows security bypass
Malware Config
C2 Extraction:
fivevh5ht.top
analforeverlovyu.top
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/32418448-eb92-4b97-a9a4-24bfccbf7168
Unpacked files
SH256 hash:
69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1
MD5 hash:
72025394a2450241bce7df7e305cd07b
SHA1 hash:
018b6c066c915ba37616661f86c09e453d58fd66
Link:
https://www.unpac.me/results/5eb7dc56-c673-4be7-9bc0-754dc29c8607/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/69b153cd6176/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 69b153cd6176d790d2aae37ccc5600bde475a0eca6d1f6f531a1e040d44bccd1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3175044/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments