MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c
SHA3-384 hash:	59ba7fdc762a8a29734c10b04cc47d4a34af1d2293caa8850e5f4a36601ceb0719db04acdb19b162dae97d8181bc185a
SHA1 hash:	03f0cfdd3abc7d6c1372c27021d064e019cdd519
MD5 hash:	17bac1320cf993ff775332ea366fd78e
humanhash:	illinois-undress-juliet-lion
File name:	17bac1320cf993ff775332ea366fd78e.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	5'034'006 bytes
First seen:	2024-06-13 05:40:19 UTC
Last seen:	2024-06-13 06:21:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:mQCQ6PrWwe1FDsEvXhtl3E3i1j8T/iqpBzXXIKzA9QHaitXVbE4k:4PSw2FJXgCj8T/JpBztA9QH5tFbrk
Threatray	405 similar samples on MalwareBazaar
TLSH	T14B363300E2E88D70F196AC3EB969C17086B67481CDB105F8A54CFDCB1BE75BB490766B
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

abuse_ch

Socks5Systemz C2:
94.156.8.80:80

Intelligence

File Origin

# of uploads :

# of downloads :

368

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c.exe

Verdict:

Malicious activity

Analysis date:

2024-06-13 05:43:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c4d46e74-d69c-4ebd-afd6-9c503d9686df

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Adware.PCCleaner.B.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=666a8664a2bce47be7d80fddwin7simulatehigh_evasion

Tags:

Encryption Stealth Heur

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

borland_delphi fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/666a86736be3b3c7c233c4bf/reports/452e389f-1719-4328-82c6-1ba06f8989d7/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/387a8c12-ba93-40be-987f-baa6c9015bfa

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1456368

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

69%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c/

Threat name:

Win32.Trojan.Sockssystemz

Status:

Malicious

First seen:

2024-06-13 02:21:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 37 (54.05%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tom2ypyqwe4wx5hxzdupo3ieln2eytnmdpehygwt45an7qtlar6a._file

Verdict:

malicious

Socks5Systemz

2f145aa84376fb1c39f3026a8e7fa62841188f92a7b4af0926df217347c7102f

Socks5Systemz

4f93c1a75610c100c28b6fce293d060fa72cd240f76981ed54cab97e7d2c1ade

Socks5Systemz

a4055964f3c620c0e4c0aa5ce9ff2a28e249a472f6bb7f6c4c356f4bf1b94388

Socks5Systemz

fe66709abfc8ebc81d937807326ec8919af8da242aac4c76562a98011c239929

Socks5Systemz

+ 395 additional samples on MalwareBazaar

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240613-gdf1kawdle/

Behaviour

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

benwddw.com
http://benwddw.com/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6f8cfa16c3ec90
http://benwddw.com/search/?q=67e28dd8690cfb204406a51a7c27d78406abdd88be4b12eab517aa5c96bd86e5908f4e96148ab2865b77f80ebad9c10f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708720fa11b861c353baf51aba1e7242fa7023cc366689fe19c2ea929938c8
bdxtdue.com

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2e2dfeac-bddf-42f9-83b2-2abfacabef8f

Unpacked files

SH256 hash:

65a423216f73c244d79171b2e25b98923bd0ac7b748c880a3b395d9c65797487

MD5 hash:

e37d7b8a151a4ae72ab1abc9afedd1c2

SHA1 hash:

bf1dfdd0a89e00cf6f0ea0bde88729b97449c066

Detections:

Socks5Systemz

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

Parent samples :

9f69963c838288865f38acc2d517db733466d0c9b5b0cc6cdd8ba6593844a5f8
9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c
b86f509978dec1f400e89a63d2de8b770363b2e904316e9063b9ad46c080175f
5a2322d7f478af9aac39e37b68082d6e7bcba23b0a1b67aa0c9ff6e3c00106f6
275cf7706f9d5d49cbcb52032850b1995211b81438257b00582040831ced93d7
8a03737a00eca05904d6eb4b7e6eb2d647df1c89ae8ae9fb7a4cea4ae9e46532
5cbd43045b2e4418fb9f6a39aa5da0a5d5e1319b2bc3cc79b50eec9713fb434f
d16265882061fe6585f16a3adb40734690f19058197210ab760e084147c99cc2
7f2e61445c1de7e7f873e136d65e79c54aef5c91fc9239286d198162779312d0
6cb361b6d9f4eed70fbeb3a482a70d8cabce818b17b3a710c00545a1e7cde753
3142d3d70a3cf61573d27d759087dfbef92a102ed37f8c6c15c348df19a55339
101d25afe6de26c8f611bf08e1eb08478e03206b3583c48bb20fa035d4d0ffca
815c265c42f5b5739bd5452fc7f510475e2f5c6e4b0a7859729a9148e2e7a73f
f92a7231efb1a1b09a75a192c77ce4ef987aaf8e30461c6ebe87e4f1e5ab1cfb
a8a4138f5e7404a3c1e42b9b969650c2e92636fdb5aaa8504f05e6c6bcf98d47
6072851f5bb88b54feef9c7aae9a016cfebe3ec37a794791960e6bac46c2c71e
4a3deabf92835badcad378bb652b9b983d37146b8c283f2114ae2de92902d515

SH256 hash:

f46b87a13cb4f234c64a0c366244f356008562cc95db1a6250604c193e381b79

MD5 hash:

39219517f0654990f526a535f249a365

SHA1 hash:

028325b5d97a563219e3f8b35e163ce14a8feb0c

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

Parent samples :

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

SH256 hash:

a62411b18f63c1f9ecbdf778190a4de580da78c54ec0004bd441e14bf8eeb55a

MD5 hash:

9179d5a71b13d9e6db4abfd00f8bcf97

SHA1 hash:

c30e6d16fa577eb6d168424cb08096b40a29d800

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

SH256 hash:

9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c

MD5 hash:

17bac1320cf993ff775332ea366fd78e

SHA1 hash:

03f0cfdd3abc7d6c1372c27021d064e019cdd519

Link:

https://www.unpac.me/results/2f24ef1a-a364-4a02-9491-b6f11ef89745/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe 9b99ac3f10b1396bf4f7c8e8f76d045b744c4dac1bc87c1ad3e740dfc26b047c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2858526/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample