MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Socks5Systemz
Vendor detections: 13
| SHA256 hash: | 7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2 |
|---|---|
| SHA3-384 hash: | 20fdee0042c48803a64034477549a648266e4b201718af38a7c206808a4bb91f514e8cad6bcf1c36c4fafb73be33f7f1 |
| SHA1 hash: | 4849a6c070071b9ba1e268a3a0367f0d86cc29f0 |
| MD5 hash: | 2bc78c83ead307da1ccbc58993604a42 |
| humanhash: | wolfram-tango-bravo-robert |
| File name: | LisectAVT_2403002A_421.exe |
| Download: | download sample |
| Signature | Socks5Systemz |
| File size: | 2'089'696 bytes |
| First seen: | 2024-07-25 00:33:27 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer) |
| ssdeep | 49152:32mReh8xhZ4DirVux6pKP79FS+iZM95cALWatNiCtQUOK+oR9:mmQab4Dq84oR0+4MQGHcWQqHR |
| Threatray | 31 similar samples on MalwareBazaar |
| TLSH | T15CA53300F7D7E23CE07AAD396A02219D0A232B6216F5E1877D8C895D1F77B1AD523763 |
| TrID | 76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23) |
| File icon (PE): |  |
| dhash icon | b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer) |
| Reporter | Anonymous |
| Tags: | exe Socks5Systemz |
Anonymous
this malware sample is very nasty!Intelligence
File Origin
# of uploads :
1
# of downloads :
101
Origin country :
CNVendor Threat Intelligence
Detection(s):
Verdict:
Malicious
Score:
90.2%
Tags:
Encryption Stealth Heur
Result
Verdict:
Malware
Maliciousness:
Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Result
Threat name:
Socks5Systemz
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Behaviour
Behavior Graph:
n/a
Score:
60%
Verdict:
Susipicious
File Type:
PE
Threat name:
Win32.Trojan.Sockssystemz
Status:
Suspicious
First seen:
2024-07-25 00:34:15 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
14 of 24 (58.33%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 21 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Score:
10/10
Tags:
family:socks5systemz botnet discovery
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
bmhnbgb.com
http://bmhnbgb.com/search/?q=67e28dd83e55f02a435afd1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a271ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692396686f916c7ea9d
ceeydba.net
http://ceeydba.net/search/?q=67e28dd86d5ca72b405cfa1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a371ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608cfe19c6e892983c
http://ceeydba.net/search/?q=67e28dd86d5ca72b405cfa1d7c27d78406abdd88be4b12eab517aa5c96bd86ef958e48845a8bbc896c58e713bc90c91936b5281fc235a925ed3e00d6bd974a95129070b611e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ed94923dca689411
http://bmhnbgb.com/search/?q=67e28dd83e55f02a435afd1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978a271ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b5296692396686f916c7ea9d
ceeydba.net
http://ceeydba.net/search/?q=67e28dd86d5ca72b405cfa1d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a371ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608cfe19c6e892983c
http://ceeydba.net/search/?q=67e28dd86d5ca72b405cfa1d7c27d78406abdd88be4b12eab517aa5c96bd86ef958e48845a8bbc896c58e713bc90c91936b5281fc235a925ed3e00d6bd974a95129070b611e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ed94923dca689411
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
1c820e3734a4a1a1e4681f88b65bd1e2bbac1e5c18a06cd4157edbcbc18c8298
MD5 hash:
214ba7d132ab6b626cdf9c371fdb8fba
SHA1 hash:
8c65b0ba0c75129d1cf1e11892ac0a4af083420d
SH256 hash:
86c58abc8028060760323a6ba9b04857e43eb0179f385ed4be49b9fe4b226f01
MD5 hash:
363bb078f3d6470aa393f35104e42bf5
SHA1 hash:
44c24707a6698b54127525f29d8b2bf7b0686418
Detections:
Socks5Systemz
Parent samples :
5a78266d2c6a7597e5e85538a6fb9c8e2e019db2d25818d36c0ff7a9b53a43bc
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
2464d67372e48f904f6061bad144f67b49c1918870d0343eb9b94479e10d1ef8
e8b1799f8065a7438b8bf111c22f20fbd6f1fdc02db8be75fceb43e76c497036
52d872fa305b5712fa9b1e25e7d9a514f711e7b1b81ab97fed157af41306201d
41105bfdb5af989cd5d636fcb77ef49f97d25d525aa2bdc35d95e1b0a46e8b60
8c06eb60b0a4cb9ed906a3a8648b7096e5a024f0d3335910c674dff1dd6ba2d9
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
54a7785ee23bf5aabf61e909cd849e0b1649dccb6edca691fba411e7f36774a4
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
45d3e2a90ffe10319fe19d04af1fbe783101c3be4841710e506ac84d0e882d07
2b6d8240ec9d04c86a70334f9d04d47188a8962d7cccfe1553ba6e9e77040518
25d5acd334f0d498f7cfef39cfb04259b6f1c0bc066b39bb4f1da85a4a4388c3
69361a92cd9421f08dcc2ca90ebe17e4ec2a261491d0fd2d22c801a764d2b58c
6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c
e3afcc20063477edea06d401bc38833b8df4b3d17e44587ae2e0824a86fe60be
bb618cb84a1343d5f90e5cf6073dd9b151d902433e7198ed54748b6b7efcf503
a8757a8ee40ba6cb4339d00a2e92c6783779fa6363ec433b28e10612fe8fc14a
836667ded6e8f83458c66a5075847c9f041e3f40c25de5040a27233d99a69a25
53ea16c0c1a0feae0e1a6e50f2f180496660c0955a6763fb5429ff7204223122
5e00b8843a33d3dd8cc77eaaa1b4a8350182d639a8ce83575946b3786b356dfb
d3eed14b62ecea9cde96248df1c2d216c004c62c6e80287da6bd0b7d09952e09
cb8f045facd1167c5f65844bfc78f3facf57ed4c82cb9aaea9342d2666feba2f
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89
9f03088fe6d06a375fcfeefb08d11cedf5b8865ddd29ec5e593309555c55d0e8
8043a47e47ea42b33eed0ae655867be63019613790a1c190c9914f80f3d7cfa1
1da9d783b64f9f770751e2f828ac9a1fa065ddd02fc801cc7e6526caa7f0b99a
33bcf3678845e17212de90f21b0cc8f8aaa237849ba1ad908b6783d7b6dd7857
8f5985b7574b66aea72acda2413599036634d1dd0586ff4135f03c0fe7d9bdec
deecc4ccd39de5b02eded282e5759890d9346ab1dc801f8cc7e9d317e06d27d3
7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2
628151552bded4ac5af3103d00cb0f47737a9f6b6e4276f711de9cb26864e9ce
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
2464d67372e48f904f6061bad144f67b49c1918870d0343eb9b94479e10d1ef8
e8b1799f8065a7438b8bf111c22f20fbd6f1fdc02db8be75fceb43e76c497036
52d872fa305b5712fa9b1e25e7d9a514f711e7b1b81ab97fed157af41306201d
41105bfdb5af989cd5d636fcb77ef49f97d25d525aa2bdc35d95e1b0a46e8b60
8c06eb60b0a4cb9ed906a3a8648b7096e5a024f0d3335910c674dff1dd6ba2d9
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
54a7785ee23bf5aabf61e909cd849e0b1649dccb6edca691fba411e7f36774a4
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
45d3e2a90ffe10319fe19d04af1fbe783101c3be4841710e506ac84d0e882d07
2b6d8240ec9d04c86a70334f9d04d47188a8962d7cccfe1553ba6e9e77040518
25d5acd334f0d498f7cfef39cfb04259b6f1c0bc066b39bb4f1da85a4a4388c3
69361a92cd9421f08dcc2ca90ebe17e4ec2a261491d0fd2d22c801a764d2b58c
6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c
e3afcc20063477edea06d401bc38833b8df4b3d17e44587ae2e0824a86fe60be
bb618cb84a1343d5f90e5cf6073dd9b151d902433e7198ed54748b6b7efcf503
a8757a8ee40ba6cb4339d00a2e92c6783779fa6363ec433b28e10612fe8fc14a
836667ded6e8f83458c66a5075847c9f041e3f40c25de5040a27233d99a69a25
53ea16c0c1a0feae0e1a6e50f2f180496660c0955a6763fb5429ff7204223122
5e00b8843a33d3dd8cc77eaaa1b4a8350182d639a8ce83575946b3786b356dfb
d3eed14b62ecea9cde96248df1c2d216c004c62c6e80287da6bd0b7d09952e09
cb8f045facd1167c5f65844bfc78f3facf57ed4c82cb9aaea9342d2666feba2f
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89
9f03088fe6d06a375fcfeefb08d11cedf5b8865ddd29ec5e593309555c55d0e8
8043a47e47ea42b33eed0ae655867be63019613790a1c190c9914f80f3d7cfa1
1da9d783b64f9f770751e2f828ac9a1fa065ddd02fc801cc7e6526caa7f0b99a
33bcf3678845e17212de90f21b0cc8f8aaa237849ba1ad908b6783d7b6dd7857
8f5985b7574b66aea72acda2413599036634d1dd0586ff4135f03c0fe7d9bdec
deecc4ccd39de5b02eded282e5759890d9346ab1dc801f8cc7e9d317e06d27d3
7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2
628151552bded4ac5af3103d00cb0f47737a9f6b6e4276f711de9cb26864e9ce
SH256 hash:
3c711c18a72720ea0eee6cecbfd2e0a5ae95d92a36873afa64a78795889a440b
MD5 hash:
0dc426d1e7fbfeddc417fa30596b8308
SHA1 hash:
6d067af99345e15b177d01fbb42c6aa41b64e001
Detections:
INDICATOR_EXE_Packed_VMProtect
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
SH256 hash:
74c7ef0d21748df5aa4be5f4479136cdd8d722a71114587edf1e041b3d8ccefe
MD5 hash:
ab79ef68155e5bde1f434e1311f3ff74
SHA1 hash:
843d5f1f1a751256f505f7a63090ddbeebd45192
SH256 hash:
a04a17e41191066a0d2540fbbd9bec17132e10c4b815b93db484d8ac1dd3e344
MD5 hash:
46203d4e12e890e8661ef1e128b44110
SHA1 hash:
5a8a085cad57b0439cb234abdbc4c96f2cfd7b0f
SH256 hash:
7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2
MD5 hash:
2bc78c83ead307da1ccbc58993604a42
SHA1 hash:
4849a6c070071b9ba1e268a3a0367f0d86cc29f0
Please note that we are no longer able to provide a coverage score for Virus Total.
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
BLint
The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.
Findings
| ID | Title | Severity |
|---|---|---|
| CHECK_AUTHENTICODE | Missing Authenticode | high |
| CHECK_DLL_CHARACTERISTICS | Missing dll Security Characteristics (HIGH_ENTROPY_VA) | high |
| CHECK_NX | Missing Non-Executable Memory Protection | critical |
| CHECK_PIE | Missing Position-Independent Executable (PIE) Protection | high |
Reviews
| ID | Capabilities | Evidence |
|---|---|---|
| SECURITY_BASE_API | Uses Security Base API | advapi32.dll::AdjustTokenPrivileges |
| WIN32_PROCESS_API | Can Create Process and Threads | kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle |
| WIN_BASE_API | Uses Win Base API | kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA |
| WIN_BASE_IO_API | Can Create Files | kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA |
| WIN_BASE_USER_API | Retrieves Account Information | advapi32.dll::LookupPrivilegeValueA |
| WIN_REG_API | Can Manipulate Windows Registry | advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA |
| WIN_USER_API | Performs GUI Actions | user32.dll::PeekMessageA user32.dll::CreateWindowExA |
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.