MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a
SHA3-384 hash: 155403e6a4098c2e3811b12c72baccb34ca0c8cb762975a3e541d27830aa3b18d72005bae2f05aac79bc870a3fca16ac
SHA1 hash: f790885dd26b066b5a9a32e0a333501f80c42d2c
MD5 hash: 16cf48bfa4e30eddf1d7393fc86e7716
humanhash: fix-utah-tango-nitrogen
File name:Random.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:236'904 bytes
First seen:2023-12-10 04:00:20 UTC
Last seen:2023-12-10 05:20:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 6144:72OP7VE8g53BGMjsh9XsWXFYEcmVXBNK7cL:72I29nJwxV1OAL
Threatray 4 similar samples on MalwareBazaar
TLSH T134349C1492D86F1FE335F6B8626131D9FA7001A3432CDB61BB5FAE762B5E7C10523162
TrID 27.3% (.SCR) Windows screen saver (13097/50/3)
22.0% (.EXE) Win64 Executable (generic) (10523/12/4)
13.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
10.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter V3n0mStrike
Tags:exe signed

Code Signing Certificate

Organisation:webpik inc
Issuer:webpik inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-10T00:46:52Z
Valid to:2024-12-10T00:46:52Z
Serial number: 4f9f96c05f243814ff7a6ac869c3d891
Thumbprint Algorithm:SHA256
Thumbprint: e209325f8ec455afe7f828331442d85402eade16f1414023d710b39447bf4881
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
V3n0mStrike
opendir http://15.204.49.148/files/

Intelligence

File Origin
# of uploads :
2
# of downloads :
316
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464147/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Spy.MSIL.Windigo.gen.6109.12215.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Searching for the window
Searching for synchronization primitives
Launching the process to interact with network services
Blocking the User Account Control
Query of malicious DNS domain
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/657537ff8b5ba47db2db9046/reports/6b4c1156-20ce-40b3-a3d1-93c65cea6b7b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a35ef6c-c3b1-4e0f-8793-46753649108e
Result
Threat name:
Petite Virus, PrivateLoader, Socks5Syste
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1357152
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables UAC (registry)
Disables Windows Defender (deletes autostart)
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Yara detected Generic Downloader
Yara detected Petite Virus
Yara detected PrivateLoader
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1357152 Sample: Random.exe Startdate: 10/12/2023 Architecture: WINDOWS Score: 100 165 Multi AV Scanner detection for domain / URL 2->165 167 Malicious sample detected (through community Yara rule) 2->167 169 Antivirus detection for URL or domain 2->169 171 12 other signatures 2->171 10 Random.exe 2 4 2->10         started        13 cmd.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 signatures4 181 Adds extensions / path to Windows Defender exclusion list (Registry) 10->181 183 Adds a directory exclusion to Windows Defender 10->183 185 Disables UAC (registry) 10->185 19 AddInProcess32.exe 15 225 10->19         started        24 powershell.exe 22 10->24         started        26 CasPol.exe 10->26         started        28 conhost.exe 13->28         started        process5 dnsIp6 131 91.92.243.139 THEZONEBG Bulgaria 19->131 133 78.135.105.12 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 19->133 135 19 other IPs or domains 19->135 83 C:\Users\...\qKjjmcCQIkQ2qH38krREnyUn.exe, PE32 19->83 dropped 85 C:\Users\...\krhH1Z0LN3IPSCDXrJhzTIUB.exe, PE32 19->85 dropped 87 C:\Users\...\ftRFuDK5mSYNQdTHNgXPZNqp.exe, PE32 19->87 dropped 89 135 other files (99 malicious) 19->89 dropped 175 Drops script or batch files to the startup folder 19->175 177 Creates HTML files with .exe extension (expired dropper behavior) 19->177 179 Writes many files with high entropy 19->179 30 I7LO01wZFST4rSDV3IhjqNzO.exe 19->30         started        35 8iG86h6MaDo3idjlpJUdn3ZG.exe 19->35         started        37 YQTRJ3s6Nk31SxZwj762UfRW.exe 19->37         started        41 7 other processes 19->41 39 conhost.exe 24->39         started        file7 signatures8 process9 dnsIp10 143 87.240.132.78 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 30->143 145 87.240.190.76 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 30->145 151 18 other IPs or domains 30->151 109 C:\Users\...\eBz57TYK1aPQ8KCMVo7al1iA.exe, PE32 30->109 dropped 111 C:\Users\...\KS6rJQgCE1p72Ftcrtjvq8Ym.exe, PE32 30->111 dropped 113 C:\Users\user\AppData\...\setup294[1].exe, PE32 30->113 dropped 121 15 other files (2 malicious) 30->121 dropped 155 Query firmware table information (likely to detect VMs) 30->155 157 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->157 159 Creates HTML files with .exe extension (expired dropper behavior) 30->159 163 10 other signatures 30->163 147 107.167.110.218 OPERASOFTWAREUS United States 35->147 149 107.167.125.189 OPERASOFTWAREUS United States 35->149 153 4 other IPs or domains 35->153 115 C:\Users\user\AppData\Local\...\opera_package, PE32 35->115 dropped 117 Opera_105.0.4970.3...toupdate_x64[1].exe, PE32 35->117 dropped 123 5 other files (2 malicious) 35->123 dropped 161 Writes many files with high entropy 35->161 43 8iG86h6MaDo3idjlpJUdn3ZG.exe 35->43         started        46 Assistant_103.0.4928.25_Setup.exe_sfx.exe 35->46         started        48 8iG86h6MaDo3idjlpJUdn3ZG.exe 35->48         started        59 2 other processes 35->59 119 C:\Users\...\YQTRJ3s6Nk31SxZwj762UfRW.tmp, PE32 37->119 dropped 50 YQTRJ3s6Nk31SxZwj762UfRW.tmp 37->50         started        125 7 other files (none is malicious) 41->125 dropped 53 UPRLts84H6Bcf5HPk6vYw7rY.tmp 41->53         started        55 9GQsZaOlWvDoSPtkohA6D6mI.tmp 41->55         started        57 OuRMBE6tMeB0hhJL4CZTUbTK.tmp 41->57         started        61 4 other processes 41->61 file11 signatures12 process13 file14 95 24 other files (3 malicious) 43->95 dropped 63 8iG86h6MaDo3idjlpJUdn3ZG.exe 43->63         started        97 6 other files (none is malicious) 46->97 dropped 91 Opera_installer_2312100402011587460.dll, PE32 48->91 dropped 99 59 other files (2 malicious) 50->99 dropped 173 Uses schtasks.exe or at.exe to add and modify task schedules 50->173 66 net.exe 50->66         started        68 schtasks.exe 50->68         started        70 voiceassist.exe 50->70         started        72 voiceassist.exe 50->72         started        101 57 other files (2 malicious) 53->101 dropped 103 57 other files (2 malicious) 55->103 dropped 105 57 other files (2 malicious) 57->105 dropped 93 Opera_installer_2312100402018877584.dll, PE32 59->93 dropped 75 assistant_installer.exe 59->75         started        107 228 other files (7 malicious) 61->107 dropped signatures15 process16 dnsIp17 127 Opera_installer_2312100402039757844.dll, PE32 63->127 dropped 77 conhost.exe 66->77         started        79 net1.exe 66->79         started        81 conhost.exe 68->81         started        129 C:\ProgramData\SDVDSmart\SDVDSmart.exe, PE32 70->129 dropped 137 185.196.8.22 SIMPLECARRER2IT Switzerland 72->137 139 152.89.198.214 NEXTVISIONGB United Kingdom 72->139 141 2 other IPs or domains 72->141 file18 process19
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-12-10 04:01:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxbinzlv7uvtoyyqmwtsugeq7lvsdbxe4tf3b3x6nzbtfjrsyiva._file
Verdict:
malicious
Similar samples:
0acc5eca8860dc87070e066f3258296228439b35bdb9fbc02185fc861a97475f
Socks5Systemz
b7283eee6896c605fbaf0c06c8c39d0d7bb43df0fcec72e7d63873732cfd4f8e
Socks5Systemz
Result
Malware family:
privateloader
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:privateloader discovery dropper evasion loader ransomware spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231210-ek72hsdee4/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
UPX packed file
Windows security modification
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Glupteba
Glupteba payload
PrivateLoader
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a
MD5 hash:
16cf48bfa4e30eddf1d7393fc86e7716
SHA1 hash:
f790885dd26b066b5a9a32e0a333501f80c42d2c
Link:
https://www.unpac.me/results/c55d4d8d-a1cf-4de1-a4f0-553591f74801/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7dc286e575fd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 7dc286e575fd2b37631065a72a1890faeb2186e4e4cbb0eefe6e4332a632c22a

(this sample)

Socks5Systemz

Executable exe 7e0c24ca44f9b3802a53eeb2ef71a431bdfb2b9716432f66530f2ff9a3a5a47a

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/464147/
  
Dropping
SHA256 7e0c24ca44f9b3802a53eeb2ef71a431bdfb2b9716432f66530f2ff9a3a5a47a
  
Dropping
MD5 5886c6efc0fa319584654e6a81e5d485

Comments