MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8
SHA3-384 hash: 160c2e18ae565fdeeb56a4cbcd589dc8d25c0fadb91d3c00968b3cf8e2f8f8e03b2c6eb05bfac3f44031a0a07e643d63
SHA1 hash: 78f3be419d66e2ac84d6721c60d9259fd2126028
MD5 hash: c94de80b5d3448c765888974d0e5d78d
humanhash: table-berlin-oxygen-alanine
File name:c94de80b5d3448c765888974d0e5d78d
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'427'193 bytes
First seen:2024-02-07 20:57:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'457 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:av4Vd45y72L2ns4cEHu8WBB9tVMYwS18zAPjDA/Ot1+K2Lh:V45y7MbBBEYws5H8TV
Threatray 3 similar samples on MalwareBazaar
TLSH T13A76335188B7C835DD1126758E6D809FC847AE392C2B128B26347D168B37F7C1A6B74F
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
479
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
6afbc321844d7fce47b566996bb4c3f62b202e0bfcadf18e9e4c7742317c9953.exe
Verdict:
Malicious activity
Analysis date:
2024-02-07 15:25:42 UTC
Tags:
loader smoke smokeloader stealer stealc pushdo cutwail backdoor sinkhole
Link:
https://app.any.run/tasks/2d3388fd-fd7e-4d68-b07c-2873236a4577

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475237/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65c3eedde8d5f6639a361683/reports/f4ce8536-9a89-4109-892d-9aa7ad86e956/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8c08cf63-4f47-464a-8572-1e307770cc13
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388670
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1388670 Sample: GCJlGRkySF.exe Startdate: 07/02/2024 Architecture: WINDOWS Score: 100 33 z-p42-instagram.c10r.instagram.com 2->33 35 youtube-ui.l.google.com 2->35 37 15 other IPs or domains 2->37 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 5 other signatures 2->51 8 GCJlGRkySF.exe 2 2->8         started        signatures3 process4 file5 21 C:\Users\user\AppData\...behaviorgraphCJlGRkySF.tmp, PE32 8->21 dropped 11 GCJlGRkySF.tmp 21 27 8->11         started        process6 file7 23 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->23 dropped 25 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 11->25 dropped 27 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->27 dropped 29 31 other files (28 malicious) 11->29 dropped 14 powerimgdrive.exe 1 2 11->14         started        18 powerimgdrive.exe 1 17 11->18         started        process8 dnsIp9 31 C:\ProgramData\...\IMAP List Mailboxes 65.exe, PE32 14->31 dropped 53 Detected unpacking (changes PE section rights) 14->53 55 Detected unpacking (overwrites its own PE header) 14->55 57 Found API chain indicative of debugger detection 14->57 59 Contains functionality to infect the boot sector 14->59 39 didmggb.info 185.196.8.22, 49736, 49738, 49740 SIMPLECARRER2IT Switzerland 18->39 41 api.vk.com 87.240.137.206, 443, 49803, 49860 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 18->41 43 14 other IPs or domains 18->43 file10 signatures11
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-07 15:27:40 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o5c7bkdemg4q47gthxadamrvofh6a2piwyxzxbuhzicpxedlupua._file
Verdict:
malicious
Similar samples:
0abf665db4fff113929fe52dc658461d7758f40aa3218ecafe53eab3ff9281e6
Socks5Systemz
aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
Socks5Systemz
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240207-zr6r9aah22/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
1004308ce2140c20ed48bd1bf1a668410c98027c3b416fcd3c636319e2869fab
MD5 hash:
46eb19b33c40306aef71f195b7ad0fff
SHA1 hash:
732d7151467abf6efc9708d7ad0694be06d7980f
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
f37139b9cf18b36b5bdeaab7de22c5d6ae85420e66760ab39de985c77e71b44e
MD5 hash:
e215176d5e82814c5509dcf6f5b67719
SHA1 hash:
be9400efb412b7dc6d859773c5f262c244e4658b
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
5eaf55bdaa3de5864532e65e9c39e55d78b73c4be78650fd47eda8d34548ebc0
MD5 hash:
2d4a43c0fe73dca0d7ce5b6ca104f741
SHA1 hash:
e0ff4b92cdbc7931df6b9f6cea05ed362e79772d
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
7aabe3d880ab046c6f5f4d201942bbdf6c5d9663c8e1c926e1e4c272ab661bdd
MD5 hash:
2a9dbe8102c8f639e9405b52e435958a
SHA1 hash:
de065a364209998245072d89c5999b1daf6e1f27
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
d6a876a3c637d2547102e588b379481f4ad2e1c3bbe00cc62f9e5ce34f626538
MD5 hash:
2d2968adf62889a7df03f83bbecca239
SHA1 hash:
33c5cd888361e51d74e10fe0cd9dc38fd09e6ac2
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
SH256 hash:
7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8
MD5 hash:
c94de80b5d3448c765888974d0e5d78d
SHA1 hash:
78f3be419d66e2ac84d6721c60d9259fd2126028
Link:
https://www.unpac.me/results/fa31248a-689d-4f2a-a951-cf7c09efec1c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2757325/
  
URLhaus
https://urlhaus.abuse.ch/url/2758085/
Cape
Cape
https://www.capesandbox.com/analysis/475237/

Comments


Avatar
zbet commented on 2024-02-07 20:57:42 UTC

url : hxxp://asx.sunaviat.com/data/pdf/may.exe