MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385
SHA3-384 hash:	4dbf11a74e1108c95f95617e3a7398987bbe5896227a37ed7616937e366c7865a954c59984882c4d4ae7a6f60967b4a2
SHA1 hash:	423dde0f6577e94cd2fb013d040dfe54e290800e
MD5 hash:	6b20f78098ea410e445da5746de447fd
humanhash:	bacon-missouri-robin-princess
File name:	tuc5.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	7'865'822 bytes
First seen:	2023-12-11 20:40:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'458 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:xO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:078pimNjMDzjl3dQAdVN1YyRPzj
Threatray	5'799 similar samples on MalwareBazaar
TLSH	T18E863393AF74566CF6194BB01D234C461FFA2C6D4FB04815987EB43EADB604848CAB7E
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon	fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter	Xev
Tags:	exe Socks5Systemz

NIXLovesCooper

Downloaded from http://never.hitsturbo.com/order/tuc5.exe

Intelligence

File Origin

# of uploads :

# of downloads :

250

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/466197/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Launching a process

Modifying a system file

Creating a file

Creating a service

Launching the process to interact with network services

Sending a custom TCP request

Enabling autorun for a service

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/657773e256d08f7811aec7fd/reports/7c6a62c1-86a3-4a73-8941-916a71d1f8b7/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1332570

Link:

https://www.hybrid-analysis.com/sample/77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/1996b850-c542-4b02-90aa-781fabd9aa12

Result

Threat name:

Petite Virus, Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1359009

Behaviour

Behavior Graph:

n/a

Score:

71%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2023-12-11 20:41:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 21 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o7yvqfkpbjcnv4p6sq5qezgkqiblppt3zubnbvfgzszoc6nvyocq._file

Verdict:

unknown

Socks5Systemz

1f79b63c019a5b69549214d7ea01ab4e164237e84d96aa618dad84e241ad2269

Socks5Systemz

6ab1079fa2f594fae71db67f69426fe4ff0e00fde8bf902ec9bc98110a86d252

Socks5Systemz

6ab72ee69fec522d12fb1096633af5092ea2c767a79ab335b78c78104e905d42

Socks5Systemz

8a717892c972cead99bb3ccded943832dcf54f468b7e055a82ef4c65d12b1e86

Socks5Systemz

9caef1bfc3460fd2eabeb3039a2d27ea014c2536465e9fef705cd5c2c13f371e

Socks5Systemz

cc9789672be1052892daf9073774adf21874724ed38fdd8973cd9fa4294a7dfd

Socks5Systemz

ec3247d8bd809dd2a2f54f6829470ba3d622d8971561d2d003e06087bf2475bb

Socks5Systemz

+ 5'789 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/231211-zgewsaach6/

Behaviour

Runs net.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Unpacked files

SH256 hash:

d1286da2332f03018f97ce332f9b3ea0963088e2ec105e6f2ba3acaea00560d4

MD5 hash:

5e46d295989c1e038ce5202a45a591b4

SHA1 hash:

46ea548a01d0e35d655a9cbcc90671fe3b5bf06c

Link:

https://www.unpac.me/results/bee90a89-51ff-41d3-b5a6-29e94189b041/

SH256 hash:

285e39cc0871a31acbbb8dd9857e91bb2526ea11cc0deaa05bf4eb3944363d93

MD5 hash:

d77da84f2582f1e079ea4554421cd887

SHA1 hash:

128dcd7823a6400cdc65bd13dbb85a2a3d28064b

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/bee90a89-51ff-41d3-b5a6-29e94189b041/

Parent samples :

792fcca86eed9eb7f163070e74e06d7aea0ff8db5a7854fd8a054322b72b14db
8089541479536163d5b0dc86e73716583c87d40ad51939f771aa4671fd247ce6
3fdd5f83f03b0f1ed6fa5dac7680926083024f6ca14ac0d7f8d56d6741fda179
79df417371ed9148fcd6e3f27ba07904d725367b02522d68a3bf488e07bb221f
a254c3c559097d9fe3e113a2c6c8a816f72da85070482bb9f6864e31e9fdd4d7
66a6ffc3bed7c12f0541017003ca502ed3ea5957de9cb89c96f52620e395e03c
e2b263ef391c8dd5a9725d29d39ba1304435ba1867b73d577ed04bd254e53061
b01887908ca9bb5134b2b49fd598a2c74fe847ab1014bb599de60a44a28cb191
d54fbeb4c4e66e02193b1bb9156217fbcc8f85b40076e38d9662da41f3565320
c6a3d2b4044ebdae0039095f29b9213ffb580fbd7904389082ae9fe13d1425fb
ae9c74fc6ed9466a38a43bef2b5677ab28f0c23a6de70a4245caaa43006ddec3
9f6decc274881ad814c2f32c0e0a0752e7032eab42027ab72b8e608677328bf4
ebff0bc6e2acf47d0b91fd23494683f8ab9c38e49cf1bb98f5489b3b76cef1e1
7403951da26eb889ff11f4c553db2da9e75be923eeba9d31570c46d4a0b48a95
846d963b3be07336806e9a35ec551588e1cc8eac3cc74fffedb2b16635ab5fe3
4148f15ce4cd27a672c6e5269e7a0e1b33f656f379737dc12bbb6eca3338a62f
e056a165fe3066b1ad3f4299cd386f3ac631422fe549ab98e79e6e99f79fe9da
7e3cf6193204558bbc714383f206c2f520c81a6cd1bb44aad2406786015fd53f
7bf7548fd759ebad7e301b44cbe5b0a17ce4dc6b49d2f3240c5d65ec953403a6
89f36be6c99ef35920f2ebc5ff70a32595df25b5d8a5f9d9e5dadd99715fc7d8
40407d4b23fbea5cda7eaabeff0ee3ea22c1431b1c32431b5fd38702b70d2f91
723764f07d64fba2573a4d610a3124cd9a057ee1cb703db7d84859f97f06096c
c4524df603ebf9af845e8619d8bbcbd515df971954cf51e9e247e9ba189a32b3
b76f2fd1a7bdc43e534405a5fb4c70d0eedaaa33feb7e734990f7c7fa342de1e
ff4caf338e35162c71b4fa76fbf79fdeb36a86d4e90d01dfddcacb6b77e85e56
4657c49179fa891f4dd137b1c8aca88df6962fb5f67a6ee3a39893922b439a28
5480df9cd132b06451421d27999536b4866a95286f3e28cbdbaba1851d405f34
8fbf10adc19e023e9cbba8a1823dc331669820f233407af4df50a8918b9ce49d
9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
c0428c1875bc1de57f10f305d61ca56ddd434417dd04db7e33bb2ff04a1ffcfc
1f79b63c019a5b69549214d7ea01ab4e164237e84d96aa618dad84e241ad2269
7d0efe46dc2c5fab939ae609c5efe2692b708e66f3583e1e7af8d5511a85b461
bffd7ead917e719faa06224787f66ea74db59457786905bafe18192ca11f8410
270d678c5b4b70217a555ce401c3321128a6fb20846b08ef77ba4e05930cab99
6f9bd84c49cbb41c352bee5d5c8a0eef056b6c5259ed11fb6ffa13830b3a08ec
b6d6e1e0fc16139471fc4c7d33328c2e0662e66fcb5f4efd79f4ca1e13afe050
96198611ca7f4d889fa1e0a66c6b93651f0d99e5a3f3d440a0a465858f556b9d
e50a9f175d40ef7517ddd23a45a85148571d62b9430030865bfbd024305ba10d
d2b75c8468b61904e6c16c13069526e4b37d77abf891e6d1c7d0163588a9af7a
888cd3eddfb9eb12f60f54d37e9e6359bb6bd6e44381d8c53321240f62466328
29cda1f13144ee4fbfeae47e1de59f165343529469dc417d17dcf12e11b01f8d
fc24fb376d46397c97f4ffa2d8a08649a295591b75b1a64fc089ba489c271a5e
4e4de704ebaad460aaac2a8e0ba044174b493d7529431c0a18c02ab31ea297cb
56c5b83da3501e92f37467e2c855daecb99e9bc3df1b4da2801dc73bba667756
a7531c20e52105543fc4c830dc4dfded481c5a463ef9d8b5c29b0dccd7128802
3089a400cc8416570c8fd157dee039b4024445d6218089d5672915ca56647bb0
77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385
247651d2dbc7e07105f03e6db3d980d2215bd5754cd3883af208d4150d14b165
2701118a934ae7590c7a70e1b30699e6479cbd008ba52050f2bb045d7f789fb3
5294dfb8ccd0edeaaeb7a7d6ac25349d4639887b0480d1a13d5e212265ed781b
ec0de71002f0f71dcb266858382e20911dc2a00da7d97a7957db884615788d52
2a799590c84c9bf95bb9ff8e99510317e72c9103948ed2d9b68cb1111684a8c4

SH256 hash:

444c9128114c59e174dec3a243760f73843021b91cfab7959d71ee03b569c63c

MD5 hash:

c3f876aa5806a3e6815dc841a792f5bd

SHA1 hash:

83e3fdff1e387991c69d69d4cc6f53182d52131b

Link:

https://www.unpac.me/results/bee90a89-51ff-41d3-b5a6-29e94189b041/

SH256 hash:

418fe78d7219deca17e3a7c678ac471f18a2685f79c6ae5a1793aa0f19083b51

MD5 hash:

c69eaa81e3b09e5c739dc4c2f6bf7222

SHA1 hash:

5ef98ec51ef6bb41a9999ecb1281797d604465ea

Link:

https://www.unpac.me/results/bee90a89-51ff-41d3-b5a6-29e94189b041/

SH256 hash:

77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385

MD5 hash:

6b20f78098ea410e445da5746de447fd

SHA1 hash:

423dde0f6577e94cd2fb013d040dfe54e290800e

Link:

https://www.unpac.me/results/bee90a89-51ff-41d3-b5a6-29e94189b041/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Link

http://never.hitsturbo.com/order/tuc5.exe

Cape

https://www.capesandbox.com/analysis/466197/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample