MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee
SHA3-384 hash:	8e0c81d6aa8c972d79239f554cb9bf4446b9b4b64e9d3bb722e0399e39cf029f9996e2a5d3fe2ceaf09b7d7795dee53a
SHA1 hash:	45e340a5fc19cd6e52559d2e32feda26d2395ee7
MD5 hash:	e639f2fc1ae9d9fcf45b9689a17dc74f
humanhash:	mirror-nine-sink-jupiter
File name:	e639f2fc1ae9d9fcf45b9689a17dc74f.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	4'911'771 bytes
First seen:	2024-06-08 20:50:07 UTC
Last seen:	2024-06-08 21:42:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:mPLOJy7HDtrWP4dAiMJvr2iBCoTyryphCWjk5vQaHjOJ6:OLOw7HD5WgZitphCsLaDOA
Threatray	349 similar samples on MalwareBazaar
TLSH	T158363329CAE09D76E062FCF1DE64AAE134359D441271347C72EDDFCACEA164A8786313
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

abuse_ch

Socks5Systemz C2:
93.123.39.193:80

Intelligence

File Origin

# of uploads :

# of downloads :

462

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Adware.PCCleaner.B.UNOFFICIAL

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=666702a4a439c6d6b08743d5win7simulatehigh_evasion

Tags:

Encryption Stealth Heur

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/6664c4396b8dba248b3e7d77/reports/8a81f6ed-0154-48f6-baa2-002294da7f2b/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/0d03b69a-cf55-4f2d-9cab-51abcc620604

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1454103

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

84%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-06-08 20:51:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s7zpixruv45oe2t4ctcr4ei3jdey5322foxb7l6ulx22bq7unpxa._file

Verdict:

malicious

Socks5Systemz

320c1e989f4abc710021c34d0544588c487aa4d210a04942cebcbe1db0f777c1

Socks5Systemz

3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9

Socks5Systemz

7aa2680b83656ff7cbfe453c3b0e9b874cbe9b8b0d19ff26317b35672f8405d6

Socks5Systemz

99d02207061f8cd1bb41dfc5ce4891f5913bdf35498e043c7d8c2b9ceee2c00b

Socks5Systemz

9ed5bbcdc3ba7bd86c534424f7a5c8f80bac6618b7b79cd8caad7060272e107f

Socks5Systemz

+ 339 additional samples on MalwareBazaar

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240608-zm5z6agg78/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

bogtcqs.com
http://bogtcqs.com/search/?q=67e28dd8395dfb2f495fac1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6086f711c4e696
http://bogtcqs.com/search/?q=67e28dd8395dfb2f495fac1e7c27d78406abdd88be4b12eab517aa5c96bd86ee9d834e875a8bbc896c58e713bc90c91936b5281fc235a925ed3e04d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c7e79d9a3fc46c
boksuho.com
http://boksuho.com/search/?q=67e28dd86d08f67e135aaa497c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa18e8889b5e4fa9281ae978a071ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff819c8ef919338
http://boksuho.com/search/?q=67e28dd86d08f67e135aaa497c27d78406abdd88be4b12eab517aa5c96bd86e893844c845a8bbc896c58e713bc90c94d36b5281fc235a925ed3e03d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee929233cd6b9f15

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/ad273120-38dd-4228-bd48-02a0129618bd

Unpacked files

SH256 hash:

16ca30f70faace39ec2757b58072ca89df101933a2386b16df596dfe3dc8b99e

MD5 hash:

b1dc8b49a9fb7a4c76f9b32eafe4d695

SHA1 hash:

f7f457747f91b7c0ba51d92066cf0a84587ea96c

Detections:

Socks5Systemz

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

Parent samples :

7aa2680b83656ff7cbfe453c3b0e9b874cbe9b8b0d19ff26317b35672f8405d6
3ac649efec98618189a42456ee70029e75c7fcbafc1ccee4e2cd54c8be0f5ce9
02d4d03a881594456f183b16d559b8352383ae7e38d9b8276383c13ae196d184
99d02207061f8cd1bb41dfc5ce4891f5913bdf35498e043c7d8c2b9ceee2c00b
97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee
d787f9aa7215933a6c4edd8fd967fe9271621aa25f0ca91d1b122951ba2eeac9

SH256 hash:

b238311c8c14046a183dca800639e81e5635e8434f4cca446f0335481c6cf5b8

MD5 hash:

f7cb455d90cc7936ed2e681325948907

SHA1 hash:

37df60f796eeb3707a606302c758b5b4212e13ac

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

SH256 hash:

881ef26c67d602e4a6e39d1d023953ada06d874fca64769e5bb5ba3cf518c181

MD5 hash:

18797d8093f3394032baecba3a1c5b7b

SHA1 hash:

2ce2694fcf25019a65bea772d549c4d723fbea7c

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

SH256 hash:

97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee

MD5 hash:

e639f2fc1ae9d9fcf45b9689a17dc74f

SHA1 hash:

45e340a5fc19cd6e52559d2e32feda26d2395ee7

Link:

https://www.unpac.me/results/bbea9d81-3c71-4c27-9343-c9f99e84ffc9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe 97f2f45e34af3ae26a7c14c51e111b48c98eef5a2bae1fafd45df5a0c3f46bee

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2858526/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample