MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e
SHA3-384 hash:	06bfa94ee1a96c6b8a96865bb73a79f509284d84809fc84f7066a8ac73de1c26bd02aacff1c909eb74b29c1c67a50c1e
SHA1 hash:	c023f4f8b1fad7ee64665d7bf3bf6a6c8c5150fb
MD5 hash:	b6d0af617cc93627a5220846eea52ddc
humanhash:	carbon-romeo-kilo-two
File name:	b6d0af617cc93627a5220846eea52ddc.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	4'185'833 bytes
First seen:	2025-02-08 15:12:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'566 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:3orjoC9OX8Y2ek6fdeSL78d5cljH/mHozZvQ6:YrjoCEXF2rPbKH/mHUW6
Threatray	3 similar samples on MalwareBazaar
TLSH	T12C163336C868E838E537DBBD8E4F880E7437DE6B4A2E517027D8E4856F1764860C572B
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

Intelligence

File Origin

# of uploads :

# of downloads :

465

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b6d0af617cc93627a5220846eea52ddc.exe

Verdict:

Malicious activity

Analysis date:

2025-02-08 15:12:59 UTC

Tags:

inno installer delphi

Link:

https://app.any.run/tasks/626b2da2-a5c6-4855-b5eb-5e7390984549

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Application.Agent.AIQ.2330.UNOFFICIAL

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Creating a service

Enabling autorun for a service

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ce6ededf-9633-4f39-aa46-9b2fb6b67570

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1610115

Signature

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e/

Threat name:

Win32.Trojan.Sockssystemz

Status:

Suspicious

First seen:

2025-02-08 13:06:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ot7cqfxsjpdni4vs2wtrzljftjgfyy24l4rbyp36khvffne2gnxa._file

Verdict:

malicious

Label(s):

socks5systemz

Socks5Systemz

5a1f60003793dad17d116893de62b2258d83b636f17f813dfbf93299ff7c2c74

Socks5Systemz

60747e80c3dece47b5c7dc3cfdcfe18abfd4cf12fe9b794749e068760dcb4847

Socks5Systemz

error

Socks5Systemz

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/250208-slw8astkem/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Detect Socks5Systemz Payload

Socks5Systemz

Socks5systemz family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3ec8b38d-d6b1-45ea-b62d-145a5bb001d6

Unpacked files

SH256 hash:

74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e

MD5 hash:

b6d0af617cc93627a5220846eea52ddc

SHA1 hash:

c023f4f8b1fad7ee64665d7bf3bf6a6c8c5150fb

Link:

https://www.unpac.me/results/43bb5a9b-0b10-43ee-aaf5-49969a8c2c2d/

SH256 hash:

9b68a3165db52d4323be45b181c86583fee3d633e91643cbc3ab449d30566fe9

MD5 hash:

951a69e0f3f9b4a2c4386fd8a6ff683f

SHA1 hash:

35b72900493d5e8f0ce8fdec90c0970897b29590

Link:

https://www.unpac.me/results/43bb5a9b-0b10-43ee-aaf5-49969a8c2c2d/

SH256 hash:

fe7d01fbb70f8d56501e2e1615ad2a32c9ba6a9810c333992c246f5515dca17e

MD5 hash:

81df3730fc36f4182686f1802bf14fd0

SHA1 hash:

a787f617ffde5e9bcf474d2d566b54dfbd88c6fd

Link:

https://www.unpac.me/results/43bb5a9b-0b10-43ee-aaf5-49969a8c2c2d/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/43bb5a9b-0b10-43ee-aaf5-49969a8c2c2d/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/43bb5a9b-0b10-43ee-aaf5-49969a8c2c2d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/74fe2816f24bc6d472b2d5a71cad259a4c5c635c5f221c3f7e51ea52b49a336e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ScanStringsInsocks5systemz Create hunting rule
Author:	Byambaa@pubcert.mn
Description:	Scans presence of the found strings using the in-house brute force method

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample