MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054
SHA3-384 hash: b0970365acd81c8830970fe5395b939f2d61b38ed2a361d2c8270beaffbb22b0462dcf4bbc621a2d6b99a7d5aa04b64c
SHA1 hash: 47835c212da3c00a661ed30c27ba29367feb94f1
MD5 hash: 3b5aeb4197a7a44a6f2a23c3f33c4103
humanhash: enemy-bravo-lake-tennis
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'470'331 bytes
First seen:2025-10-12 04:00:40 UTC
Last seen:2025-10-12 04:07:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'446 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:IsyKNC1aEUm6nbG3YGzaYn7DPXiyepNHyfeaB+N:5PtE6nbkYGOY3aVHy/gN
Threatray 51 similar samples on MalwareBazaar
TLSH T12FF5335317E011B4E1287E7C4E057A7018EB391D1F371B9C766E9DBEADDB821A218B8C
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Socks5Systemz


Avatar
Bitsight
url: http://178.16.55.189/files/7782139129/LTT9bLQ.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
82
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
_5f29a44082777948c77009b37df18b6a8f16233115bc0efc269db93b73955c39.exe
Verdict:
Malicious activity
Analysis date:
2025-10-12 02:46:26 UTC
Tags:
auto amadey botnet stealer redline loader vidar themida unlocker-eject tool generic rdp arch-exec gcleaner darkvision remote evasion telegram github banker grandoreiro stealc miner pastebin anti-evasion winring0-sys vuln-driver ms-smartcard xworm rustystealer purecrypter autoit phishing silentcryptominer
Link:
https://app.any.run/tasks/d35adfd8-f1ee-47ee-81a1-28cf0a0b6830

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Socks5Systemz
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32453/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68eb2813777ae46bec41bb3f
Tags:
dropper virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi crypt fingerprint innosetup installer overlay packed unsafe
Link:
https://www.filescan.io/uploads/68eb280271883144ef3250ed/reports/fd135598-915e-426d-b21b-399e00b453cf/overview
Verdict:
Malicious
Labled as:
Adware.Popwina.fbjv/PSY
Link:
https://www.hybrid-analysis.com/sample/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-12T00:37:00Z UTC
Last seen:
2025-10-12T17:08:00Z UTC
Hits:
~100
Detections:
Trojan-Proxy.Win32.Sok5Syz.sb Trojan.Win32.Ekstak.sb Trojan-Proxy.Win32.Sok5Syz.uu PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9d7da2e6-06dc-4eb1-805e-a8f0551e8935
Score:
81%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/3b5aeb4197a7a44a6f2a23c3f33c4103
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054/
Verdict:
Malicious
Threat:
Family.SOCKS5SYSTEMZ
Link:
https://tip.neiki.dev/file/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-10-12 03:06:17 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5zxzgttjcy26e6xzymdw3xiwwpc7sd6m5thuci5lkjwkkoa2bka._file
Verdict:
malicious
Label(s):
golddragon
Create hunting rule
socks5systemz
Create hunting rule
Similar samples:
051e3b65ed37e56bf45b35f53882802ec2688e4838a4f93dcf4678c91dc2b403
Socks5Systemz
1a9b15b402ffd9217971c2d7f3512ec7a969396a6f985f8ca30160795d25acae
Socks5Systemz
2f7d3121a43c63b018cbe92b3d7ec67514a4d546401bfb18991a9dd4c65fd542
Socks5Systemz
5697c7ecb77bccbd4593b3982f2cd01e9c5806f10675d579e6a7246b615a68cf
Socks5Systemz
56c381e2151053582a1f4b1da362d4afaf919c9c57285a962a77d6c48fb04557
Socks5Systemz
5b3b428c2625b3c8278b9b3a1d14002ef4760df42439db17efd3576ae952c6ca
Socks5Systemz
842d61ed21afe2d22b07a221ba1bdf146a70834f715c68d162f50f3f3de506e5
Socks5Systemz
87b0e249216a95c0885f59fd6e4bcc27e563e283a2e07c9f98916b5504bdfd04
Socks5Systemz
error
Socks5Systemz
+ 41 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/251012-ek72hsykw9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Detect Socks5Systemz Payload
Socks5Systemz
Socks5systemz family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c777c5a-1813-4cb1-a4c3-9559d3f1fa84
Unpacked files
SH256 hash:
8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054
MD5 hash:
3b5aeb4197a7a44a6f2a23c3f33c4103
SHA1 hash:
47835c212da3c00a661ed30c27ba29367feb94f1
Link:
https://www.unpac.me/results/95b2856d-de25-46e1-b7d0-2bfec66f6cd5/
SH256 hash:
469072eace4f348ee343429ecd043ecc849cb3d87bed64019b1e9e95dbad45bf
MD5 hash:
e811042d72315c8060f28241a069b157
SHA1 hash:
16e4b6bd3e712b77bc8a6c9f56b134724ca9c1d4
Link:
https://www.unpac.me/results/95b2856d-de25-46e1-b7d0-2bfec66f6cd5/
SH256 hash:
402d82a1ef793e57034dd047f80d14cacc89934eb15902eb93c012322caa8908
MD5 hash:
5fd5c5f1ab7652f750704b1a24117647
SHA1 hash:
74d2363db47af8c5569fea8b021e02b484b4097c
Link:
https://www.unpac.me/results/95b2856d-de25-46e1-b7d0-2bfec66f6cd5/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/95b2856d-de25-46e1-b7d0-2bfec66f6cd5/
SH256 hash:
c4fce51b2f2ed4e903180538388c1441f066fe4485158f939384b686dbef097b
MD5 hash:
1bf2588db2ca1ea92ea219923207a94f
SHA1 hash:
334fd96ef60a7e7ee271b81a6c1005fca1f8dccb
Link:
https://www.unpac.me/results/95b2856d-de25-46e1-b7d0-2bfec66f6cd5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:ScanStringsInsocks5systemz
Create hunting rule
Author:Byambaa@pubcert.mn
Description:Scans presence of the found strings using the in-house brute force method
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe 8f737c9a7348b1af13d7ce183b6ee8b59e2fc87e67667a091d5a936529c0d054

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/32453/
  
URLhaus
https://urlhaus.abuse.ch/url/3669258/

Comments