MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
SHA3-384 hash: c80a01be12fbf9ba762fd2ff032c79644e8c2f63394128a892021c970257a78b74090bf4ee76340ea73bed3a89dc8c09
SHA1 hash: cc221059563e9e8025805a42a9a46154feedd55d
MD5 hash: 25cb7192c8f7a3bfec2a4817f8552ca7
humanhash: london-louisiana-north-charlie
File name:25cb7192c8f7a3bfec2a4817f8552ca7.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:2'320'643 bytes
First seen:2024-03-23 13:35:22 UTC
Last seen:2024-03-23 15:35:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'459 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:32mFbq6TKK/DUgI/Guo+HoJ7P7Ea2ieZl53e7D:m+b1TKqqGXkopP2iex3c
Threatray 102 similar samples on MalwareBazaar
TLSH T133B533C2AF660274F4159BB44D24532282563A321C7A7D493DDF9F0E8F2F83968877CA
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
45.142.214.240:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
363
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4.exe
Verdict:
Malicious activity
Analysis date:
2024-03-23 13:37:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/41fc375c-c824-41bb-8341-d237d1de06b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65fedac5b81a555db48c088d/reports/9c2defc0-dedc-477e-a329-ff5e40fa83ea/overview
Verdict:
Suspicious
Labled as:
HEUR/AGEN.1372994
Link:
https://www.hybrid-analysis.com/sample/8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/75780a15-34b5-495f-b749-22e89d5a531a
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414470
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
19%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrr7bqpifcx4lbkdrrubepgewvlcrpboyggfqzy6cp4uhgxtd7sa._file
Verdict:
malicious
Similar samples:
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
Socks5Systemz
2464d67372e48f904f6061bad144f67b49c1918870d0343eb9b94479e10d1ef8
Socks5Systemz
41105bfdb5af989cd5d636fcb77ef49f97d25d525aa2bdc35d95e1b0a46e8b60
Socks5Systemz
5a78266d2c6a7597e5e85538a6fb9c8e2e019db2d25818d36c0ff7a9b53a43bc
Socks5Systemz
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
Socks5Systemz
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
Socks5Systemz
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
Socks5Systemz
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
Socks5Systemz
+ 92 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240323-qv8lksba3z/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://aiisbpm.ru/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978fe71ea771795af8e05c642db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a668cff10c0ed9c
http://aiisbpm.ru/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12eab517aa5c96bd86e993864d865a8bbc896c58e713bc90c91c36b5281fc235a925ed3e5dd6bd974a95129070b611e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c1ed959b3bcf66
http://bvdvdji.com/search/?q=67e28dd86e58a42e450ca94d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffe13c0ee959939
Unpacked files
SH256 hash:
590beff18e862e27b2fb92dd65170297c6e6646c960cf6e742dcb8a0fa8c7988
MD5 hash:
e2996dff751f9eb7ed4bd1c4d86b33d6
SHA1 hash:
ed3a1dd17478d510619dcbe01cc138cdd02e3103
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
86c58abc8028060760323a6ba9b04857e43eb0179f385ed4be49b9fe4b226f01
MD5 hash:
363bb078f3d6470aa393f35104e42bf5
SHA1 hash:
44c24707a6698b54127525f29d8b2bf7b0686418
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
Parent samples :
5a78266d2c6a7597e5e85538a6fb9c8e2e019db2d25818d36c0ff7a9b53a43bc
ff81ebb631def33459e576f7af0204392e5545209a1d3ac262eeb7b185d61c75
9ac0360dc962bbce1c4c8a5b45df41f113acbdcbaa2debdc051f704b955a21fd
2464d67372e48f904f6061bad144f67b49c1918870d0343eb9b94479e10d1ef8
e8b1799f8065a7438b8bf111c22f20fbd6f1fdc02db8be75fceb43e76c497036
52d872fa305b5712fa9b1e25e7d9a514f711e7b1b81ab97fed157af41306201d
41105bfdb5af989cd5d636fcb77ef49f97d25d525aa2bdc35d95e1b0a46e8b60
8c06eb60b0a4cb9ed906a3a8648b7096e5a024f0d3335910c674dff1dd6ba2d9
13054d2dd86e9d9b7920a0172e9b40ee0409f4e21412ace7ce16160394b6e87d
b42c724af5c05849434bb0c34cabbd138201a7f6b6b56faadbc150885cfd0a2e
54a7785ee23bf5aabf61e909cd849e0b1649dccb6edca691fba411e7f36774a4
1ba1766362edbe760510aba2daa552624058f0dbd7f4e426c8801bd876b915d6
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
45d3e2a90ffe10319fe19d04af1fbe783101c3be4841710e506ac84d0e882d07
2b6d8240ec9d04c86a70334f9d04d47188a8962d7cccfe1553ba6e9e77040518
25d5acd334f0d498f7cfef39cfb04259b6f1c0bc066b39bb4f1da85a4a4388c3
69361a92cd9421f08dcc2ca90ebe17e4ec2a261491d0fd2d22c801a764d2b58c
6b0db00703abd4a4e5d245e6c70b7678b0d9e6cd14171399b0110be37550f37c
e3afcc20063477edea06d401bc38833b8df4b3d17e44587ae2e0824a86fe60be
bb618cb84a1343d5f90e5cf6073dd9b151d902433e7198ed54748b6b7efcf503
a8757a8ee40ba6cb4339d00a2e92c6783779fa6363ec433b28e10612fe8fc14a
836667ded6e8f83458c66a5075847c9f041e3f40c25de5040a27233d99a69a25
53ea16c0c1a0feae0e1a6e50f2f180496660c0955a6763fb5429ff7204223122
5e00b8843a33d3dd8cc77eaaa1b4a8350182d639a8ce83575946b3786b356dfb
d3eed14b62ecea9cde96248df1c2d216c004c62c6e80287da6bd0b7d09952e09
cb8f045facd1167c5f65844bfc78f3facf57ed4c82cb9aaea9342d2666feba2f
3face14fa194ab9f0e7a534ed938a0d6c5ad0529017b968c9cff394400f80e89
9f03088fe6d06a375fcfeefb08d11cedf5b8865ddd29ec5e593309555c55d0e8
8043a47e47ea42b33eed0ae655867be63019613790a1c190c9914f80f3d7cfa1
1da9d783b64f9f770751e2f828ac9a1fa065ddd02fc801cc7e6526caa7f0b99a
33bcf3678845e17212de90f21b0cc8f8aaa237849ba1ad908b6783d7b6dd7857
8f5985b7574b66aea72acda2413599036634d1dd0586ff4135f03c0fe7d9bdec
deecc4ccd39de5b02eded282e5759890d9346ab1dc801f8cc7e9d317e06d27d3
7b39e82fb9d362745831c9ae998300cdd2e1e0337cfbafd22965457902751fa2
628151552bded4ac5af3103d00cb0f47737a9f6b6e4276f711de9cb26864e9ce
SH256 hash:
a81e2126dfe3bf7435935c60556f0756248a8f1b8b24644b6e7ac72f9235b333
MD5 hash:
7516baf4187f54d8b90dfc60f0bbdd9f
SHA1 hash:
fd58d125f449bc8dc1e7a8bbac55326deff3664a
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
2bb0b0a7516eedc42a62df6bd55f57049c8820ff2e75cea750a41bc1e8bf1994
MD5 hash:
81eb7219b6200e54685dd74658a8361d
SHA1 hash:
5d39da69cf116fd3da4166b8b53e556c2ec5ee36
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
SH256 hash:
8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4
MD5 hash:
25cb7192c8f7a3bfec2a4817f8552ca7
SHA1 hash:
cc221059563e9e8025805a42a9a46154feedd55d
Link:
https://www.unpac.me/results/873da4b4-07f1-4c9b-8741-687b04df37e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 8463f0c1e828afc585438c68123cc4b55628bc2ec18c58671e13f9439af31fe4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2787069/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments