MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
SHA3-384 hash: 81cd90dcd92fbaef38e0d10f060a6cc655fcbf1b5a1381b33a5a004820ed0bd75e5987c76036c1736d17b4cd87198d25
SHA1 hash: 5063d2359d1e2ed4d3628fb04a7561f3c31f30db
MD5 hash: 8be9f11f51463c7823a9eec3d1355867
humanhash: montana-washington-cold-low
File name:tuc5.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'865'822 bytes
First seen:2023-12-11 19:29:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'458 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:hO78pimeIjZMmsj7bXzjl3iT1A9SG7ul2xdVNWiYmJE6RI6zj:E78pimNjMDzjl3dQAdVN1YyRPzj
Threatray 5'614 similar samples on MalwareBazaar
TLSH T118863393AF74566CF6194BB01D234C461FFA2C6D4FB04815987EB43EADB604848CAB7E
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc5.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466034/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.11473.14841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657763443f60a810348f5b35/reports/aaa9f5a7-6efd-4bb6-bb05-87ec0510a9a2/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332570
Link:
https://www.hybrid-analysis.com/sample/9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/697fc4a8-36a3-4a7e-9a18-01555f37bc63
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358918
Behaviour
Behavior Graph:
n/a
Score:
71%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 19:30:09 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 23 (56.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tj5aufojgd5w7qqrrflnoufh3ukae437vzd5gckv6miwedvvrgmq._file
Verdict:
unknown
Similar samples:
0a1657e6daa770f23b1174a97a87c67d26a71608bb37d5fb61db93a689b37cab
Socks5Systemz
28054d4d5fe1ce44199d81b1e6e0a9a1ab154447a35a4f7f4c5bde4dcc775421
Socks5Systemz
428115d7778ccdaed6cf18f3e38726810e6f53abbf430af1de74a12f1565a9e0
Socks5Systemz
6ab1079fa2f594fae71db67f69426fe4ff0e00fde8bf902ec9bc98110a86d252
Socks5Systemz
7d08307acda4f898d41708dae05886685240ec15642b5fb0d56a17e9b356b30d
Socks5Systemz
8089541479536163d5b0dc86e73716583c87d40ad51939f771aa4671fd247ce6
Socks5Systemz
9caef1bfc3460fd2eabeb3039a2d27ea014c2536465e9fef705cd5c2c13f371e
Socks5Systemz
cbf8c70b949c13415e8814b2835d9fcd53f8b2210ca8b22bb2b107b4ca266ac2
Socks5Systemz
+ 5'604 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231211-x7trhsghg3/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
d1286da2332f03018f97ce332f9b3ea0963088e2ec105e6f2ba3acaea00560d4
MD5 hash:
5e46d295989c1e038ce5202a45a591b4
SHA1 hash:
46ea548a01d0e35d655a9cbcc90671fe3b5bf06c
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
SH256 hash:
285e39cc0871a31acbbb8dd9857e91bb2526ea11cc0deaa05bf4eb3944363d93
MD5 hash:
d77da84f2582f1e079ea4554421cd887
SHA1 hash:
128dcd7823a6400cdc65bd13dbb85a2a3d28064b
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
Parent samples :
792fcca86eed9eb7f163070e74e06d7aea0ff8db5a7854fd8a054322b72b14db
8089541479536163d5b0dc86e73716583c87d40ad51939f771aa4671fd247ce6
3fdd5f83f03b0f1ed6fa5dac7680926083024f6ca14ac0d7f8d56d6741fda179
79df417371ed9148fcd6e3f27ba07904d725367b02522d68a3bf488e07bb221f
a254c3c559097d9fe3e113a2c6c8a816f72da85070482bb9f6864e31e9fdd4d7
66a6ffc3bed7c12f0541017003ca502ed3ea5957de9cb89c96f52620e395e03c
e2b263ef391c8dd5a9725d29d39ba1304435ba1867b73d577ed04bd254e53061
b01887908ca9bb5134b2b49fd598a2c74fe847ab1014bb599de60a44a28cb191
d54fbeb4c4e66e02193b1bb9156217fbcc8f85b40076e38d9662da41f3565320
c6a3d2b4044ebdae0039095f29b9213ffb580fbd7904389082ae9fe13d1425fb
ae9c74fc6ed9466a38a43bef2b5677ab28f0c23a6de70a4245caaa43006ddec3
9f6decc274881ad814c2f32c0e0a0752e7032eab42027ab72b8e608677328bf4
ebff0bc6e2acf47d0b91fd23494683f8ab9c38e49cf1bb98f5489b3b76cef1e1
7403951da26eb889ff11f4c553db2da9e75be923eeba9d31570c46d4a0b48a95
846d963b3be07336806e9a35ec551588e1cc8eac3cc74fffedb2b16635ab5fe3
4148f15ce4cd27a672c6e5269e7a0e1b33f656f379737dc12bbb6eca3338a62f
e056a165fe3066b1ad3f4299cd386f3ac631422fe549ab98e79e6e99f79fe9da
7e3cf6193204558bbc714383f206c2f520c81a6cd1bb44aad2406786015fd53f
7bf7548fd759ebad7e301b44cbe5b0a17ce4dc6b49d2f3240c5d65ec953403a6
89f36be6c99ef35920f2ebc5ff70a32595df25b5d8a5f9d9e5dadd99715fc7d8
40407d4b23fbea5cda7eaabeff0ee3ea22c1431b1c32431b5fd38702b70d2f91
723764f07d64fba2573a4d610a3124cd9a057ee1cb703db7d84859f97f06096c
c4524df603ebf9af845e8619d8bbcbd515df971954cf51e9e247e9ba189a32b3
b76f2fd1a7bdc43e534405a5fb4c70d0eedaaa33feb7e734990f7c7fa342de1e
ff4caf338e35162c71b4fa76fbf79fdeb36a86d4e90d01dfddcacb6b77e85e56
4657c49179fa891f4dd137b1c8aca88df6962fb5f67a6ee3a39893922b439a28
5480df9cd132b06451421d27999536b4866a95286f3e28cbdbaba1851d405f34
8fbf10adc19e023e9cbba8a1823dc331669820f233407af4df50a8918b9ce49d
9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
c0428c1875bc1de57f10f305d61ca56ddd434417dd04db7e33bb2ff04a1ffcfc
1f79b63c019a5b69549214d7ea01ab4e164237e84d96aa618dad84e241ad2269
7d0efe46dc2c5fab939ae609c5efe2692b708e66f3583e1e7af8d5511a85b461
bffd7ead917e719faa06224787f66ea74db59457786905bafe18192ca11f8410
270d678c5b4b70217a555ce401c3321128a6fb20846b08ef77ba4e05930cab99
6f9bd84c49cbb41c352bee5d5c8a0eef056b6c5259ed11fb6ffa13830b3a08ec
b6d6e1e0fc16139471fc4c7d33328c2e0662e66fcb5f4efd79f4ca1e13afe050
96198611ca7f4d889fa1e0a66c6b93651f0d99e5a3f3d440a0a465858f556b9d
e50a9f175d40ef7517ddd23a45a85148571d62b9430030865bfbd024305ba10d
d2b75c8468b61904e6c16c13069526e4b37d77abf891e6d1c7d0163588a9af7a
888cd3eddfb9eb12f60f54d37e9e6359bb6bd6e44381d8c53321240f62466328
29cda1f13144ee4fbfeae47e1de59f165343529469dc417d17dcf12e11b01f8d
fc24fb376d46397c97f4ffa2d8a08649a295591b75b1a64fc089ba489c271a5e
4e4de704ebaad460aaac2a8e0ba044174b493d7529431c0a18c02ab31ea297cb
56c5b83da3501e92f37467e2c855daecb99e9bc3df1b4da2801dc73bba667756
a7531c20e52105543fc4c830dc4dfded481c5a463ef9d8b5c29b0dccd7128802
3089a400cc8416570c8fd157dee039b4024445d6218089d5672915ca56647bb0
77f158154f0a44daf1fe943b0264ca8202b7be7bcd02d0d4a6ccb2e179b5c385
247651d2dbc7e07105f03e6db3d980d2215bd5754cd3883af208d4150d14b165
2701118a934ae7590c7a70e1b30699e6479cbd008ba52050f2bb045d7f789fb3
5294dfb8ccd0edeaaeb7a7d6ac25349d4639887b0480d1a13d5e212265ed781b
ec0de71002f0f71dcb266858382e20911dc2a00da7d97a7957db884615788d52
2a799590c84c9bf95bb9ff8e99510317e72c9103948ed2d9b68cb1111684a8c4
SH256 hash:
25936ab6578a44ce9c2fc54ffa253b53a76c14a14943d055189c0e2b292acac8
MD5 hash:
9444e17254a82e805c735feb8b532f61
SHA1 hash:
9365bc35aa3c6377b1eec0221fcc4ba0dc4587e0
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
SH256 hash:
95dfd6061a81dc3994a05dc4c7bb5f7999b22414d83b31fc7ef6bcb5257e8e09
MD5 hash:
c603242e11450c4bcbb45362e497318b
SHA1 hash:
7ca442d009834136932b3e6cf2e718ec77139b50
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
SH256 hash:
4e3601760f269c13bd66c7f046e5846bd07884b6170b3e71cf73817bc9b2c863
MD5 hash:
1947edcfd01276a20a3816c03dc58b04
SHA1 hash:
3e898b1fb378a0c109afca54c5f64fece7728793
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
SH256 hash:
9a7a0a15c930fb6fc2118956d750a7dd1402737fae47d30955f311620eb58999
MD5 hash:
8be9f11f51463c7823a9eec3d1355867
SHA1 hash:
5063d2359d1e2ed4d3628fb04a7561f3c31f30db
Link:
https://www.unpac.me/results/547c8f7e-5ff5-47e0-93ff-3ec64f371444/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc5.exe
Cape
Cape
https://www.capesandbox.com/analysis/466034/

Comments