MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611
SHA3-384 hash:	970ae050bcb2bc6053d60f04c8d475062f8f259d4068e58a3194eae988bc22360bc9717849dff6b98bb9d8b8255d04c0
SHA1 hash:	87da36980352aaab14f05b789fb347626dcf515a
MD5 hash:	41c97a2248af8133a2f4b655e4177281
humanhash:	sad-burger-river-maine
File name:	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.26646.24282
Download:	download sample
Signature	Socks5Systemz Alert Create hunting rule
File size:	7'415'639 bytes
First seen:	2023-12-16 18:30:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	196608:DEmC0veCyzfTNSSjaUnPvacdw0tm6nkLUDaUNd4w3H3fz5AxAzj:AFTgSjLXac6l63mU/4WH375Aqzj
Threatray	5'718 similar samples on MalwareBazaar
TLSH	T1717633C70A28463DC6EA77738B13D921BB6179D69F2A5496C4CF9F4B3734340A04B7A2
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4505/5/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	SecuriteInfoCom
Tags:	exe Socks5Systemz

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

289

Origin country :

FR

Vendor Threat Intelligence

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/468096/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan-Dropper.Win32.Agent.26646.24282.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file in the Program Files subdirectories

Moving a file to the Program Files subdirectory

Modifying a system file

Creating a file

Creating a service

Sending a custom TCP request

Enabling autorun for a service

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

control installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/657decf1ffafd83ebc91d63b/reports/de65c0c8-872c-4d99-922b-6b534e37bd5f/overview

Hybrid Analysis HEUR/AGEN.1332570

Verdict:

Suspicious

Labled as:

HEUR/AGEN.1332570

Link:

https://www.hybrid-analysis.com/sample/8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Suspicious

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2cca552b-e228-42cf-9300-8a346bcd0007

Joe Sandbox Petite Virus, Socks5Systemz

Result

Threat name:

Petite Virus, Socks5Systemz

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1363477

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

PE file has nameless sections

Snort IDS alert for network traffic

Yara detected Petite Virus

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

89%

Verdict:

Malware

File Type:

PE

Link:

https://malprob.io/report/8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611/

ReversingLabs TitaniumCloud Win32.Trojan.Generic

Threat name:

Win32.Trojan.Generic

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-12-16 18:31:12 UTC

File Type:

PE (Exe)

Extracted files:

5

AV detection:

10 of 23 (43.48%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r27x7s45irfkqthvgpokwvgjprtjsjefs3db5kirxsi3a2rqiyiq._file

Threatray suspicious

Verdict:

suspicious

Similar samples:

0346b3f5bcb18dc9d6406ada3edf3f31acd99abbe72e214ac84c8b8b47bfc97d

Socks5Systemz

53b6054838a9e7503580604b8c222d9b3bb80068ce98107864df9bd33f9df43c

Socks5Systemz

5c1da2ce38eeabe2446e5a2a307375d9347d1c8fad889a66e20557d56a462c08

Socks5Systemz

6db49853ddae2f0cf79ac88e80016b97abb0b77f571409780888b8f6e624bc9e

Socks5Systemz

7bb6037c523bd02645d27f2c0c1064208d46589bdce89a7e6539687aa70c5117

Socks5Systemz

838e77f8eccdad19dbb7dbce3efaa028ca5279bcc6105918cdb2666b78b1bc80

Socks5Systemz

92f99236d73d01014771b60c8ee4f23c8ae999c8a576ab1b9a0f4e894841722b

Socks5Systemz

9c138b6d0a7b54d3bd5df90a625415aa5f7b343e21dcef65727a6fbe3afe12f9

Socks5Systemz

cebb8a7897a0cf0c259cf3d61492d7ce31d5409e49d89fbc093d37a3d6327261

Socks5Systemz

fef27f6e75c7b46bd160664e0c4d23454c41619b371c199d5c9341eac5eb020f

Socks5Systemz

+ 5'708 additional samples on MalwareBazaar

Hatching Triage Suspicious

Result

Malware family:

n/a

Score:

  7/10

Tags:

discovery

Link:

https://tria.ge/reports/231216-w532qsdhc6/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

UnpacMe INDICATOR_EXE_Packed_VMProtect

Unpacked files

SH256 hash:

bfe1ab607dfba71517a995a31be6628c8673dc723660804fd30f374d3989359c

MD5 hash:

e82f019ab3c2e83c05abd197c7912003

SHA1 hash:

a705c9f56bc7d7d0c6591d23337d89fdbabce756

Link:

https://www.unpac.me/results/006a2d36-ac9e-42bc-b82e-cabc7c810a5e/

SH256 hash:

6d62cad9e0c25b1ad0fe2cfb610b9ff62089f742abf03ff93501147e08b1ddd3

MD5 hash:

d6067a28ac4dad4afa63a10245cf9ea8

SHA1 hash:

68bc157ee8302e16af2873b284ed1a52778a7572

Detections:

INDICATOR_EXE_Packed_VMProtect

Alert

Create hunting rule

Link:

https://www.unpac.me/results/006a2d36-ac9e-42bc-b82e-cabc7c810a5e/

Parent samples :

5c1da2ce38eeabe2446e5a2a307375d9347d1c8fad889a66e20557d56a462c08
8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611
838e77f8eccdad19dbb7dbce3efaa028ca5279bcc6105918cdb2666b78b1bc80

SH256 hash:

67fc1edd2adc49516b9a0d25e49fc53a2c2ec97b53d13c60eeda76a219244366

MD5 hash:

20a34c1d79cf4ab33c502ab1117f0125

SHA1 hash:

6f5e7a94f2136dbbae295e57f577e017cf0137c1

Link:

https://www.unpac.me/results/006a2d36-ac9e-42bc-b82e-cabc7c810a5e/

SH256 hash:

084c442a1b22652b3c9d891564c38da3f2e56abcb1d9a4f4c669103bb80741df

MD5 hash:

8f5ac058e247e4064fd267a612138cfa

SHA1 hash:

2ff230f48db1c2ec0878c7c2bd13061466d00849

Link:

https://www.unpac.me/results/006a2d36-ac9e-42bc-b82e-cabc7c810a5e/

SH256 hash:

8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611

MD5 hash:

41c97a2248af8133a2f4b655e4177281

SHA1 hash:

87da36980352aaab14f05b789fb347626dcf515a

Link:

https://www.unpac.me/results/006a2d36-ac9e-42bc-b82e-cabc7c810a5e/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8ebf7fcb9d444aa84cf533dcab54c97c6699248596c61ea911bc91b06a304611

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/468096/