MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17
SHA3-384 hash: 8cc8a6774790123a6f25a82b015689c3f6932b3093945e357681cb825b8885c727215444f4dc6660394762f10143a744
SHA1 hash: 6e1030634bf79d1b5b48a3313970c1fb986110d2
MD5 hash: efeb409d7348a8ddf4edf55f338a337b
humanhash: hotel-stream-crazy-july
File name:efeb409d7348a8ddf4edf55f338a337b
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'288'020 bytes
First seen:2024-01-22 20:37:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:ustBWcCejtbt0AhIeL0PrU1zG4Rs6qhsOj06YNN7/Wad358:hlbtOAhI80Pr/4Rn77/hk
Threatray 45 similar samples on MalwareBazaar
TLSH T1A716020B3B2062AED16D47F4AC8BB0F27B08FF1EC32155666259A7B825D17C1DB13E64
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 1a9a8696b2b29686 (3 x Socks5Systemz)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472390/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching a process
Modifying a system file
Sending a custom TCP request
Creating a service
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65aed22c8dfc251a25fd1a9d/reports/54632e31-fa6f-4653-8c60-a4afcea93a4c/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a12999c8-f279-4280-91bf-9eb39968e47a
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1379067
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1379067 Sample: ydoA2squ6a.exe Startdate: 22/01/2024 Architecture: WINDOWS Score: 100 44 youtube-ui.l.google.com 2->44 46 www.youtube.com 2->46 48 5 other IPs or domains 2->48 50 Snort IDS alert for network traffic 2->50 52 Antivirus detection for dropped file 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 6 other signatures 2->56 9 ydoA2squ6a.exe 2 2->9         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\ydoA2squ6a.tmp, PE32 9->28 dropped 12 ydoA2squ6a.tmp 21 68 9->12         started        process6 file7 30 C:\Users\user\AppData\...\xplaystdlib.exe, PE32 12->30 dropped 32 C:\Users\user\AppData\...\webrtc.dll (copy), PE32 12->32 dropped 34 C:\Users\user\AppData\...\unins000.exe (copy), PE32 12->34 dropped 36 50 other files (39 malicious) 12->36 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 12->58 16 xplaystdlib.exe 1 17 12->16         started        19 xplaystdlib.exe 1 2 12->19         started        22 schtasks.exe 1 12->22         started        signatures8 process9 dnsIp10 38 aqsxsau.ru 185.196.8.22, 49710, 49713, 49715 SIMPLECARRER2IT Switzerland 16->38 40 member.g.nexon.com 183.110.0.44, 443, 49836 KIXS-AS-KRKoreaTelecomKR Korea Republic of 16->40 42 5 other IPs or domains 16->42 26 C:\ProgramData\...\TVTunerClassic64.exe, PE32 19->26 dropped 24 conhost.exe 22->24         started        file11 process12
Score:
41%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvw3pazoli56zel53wujhmitpvvc3jdtfighj336m7m4tfokfqlq._file
Verdict:
malicious
Similar samples:
0ff88c326a4448b0fb470313d3ad2a91d76f86798f8b9d1b7de612b507aec5d8
Socks5Systemz
36fe9b1f11f5c91836f0bd3a000ad5555c05fabdf489dd51fbb00b67b391b31d
Socks5Systemz
388c0bdae3a64d040bd07645d71f5738d3741ebb4618b74efb451db0dfdc70da
Socks5Systemz
3d0b4071ca579fd81b80d96665bca36d29f3dde90c139c12046754e79e4dd7dc
Socks5Systemz
44d3b36090f29f48969dba1638d31097243516188cfe62b62559c450c4303293
Socks5Systemz
4681dc1aa40cca6a2ae8afba33654149d2946eeba6bbcb07f1e689df33c72283
Socks5Systemz
479179b35bf5ee0042940137db914a07d967139ae0725b3b94acf5173034356b
Socks5Systemz
a4540f539c10b3626bf576314689fbe889b93c25dc836b9f77d3facdd6b9f3f5
Socks5Systemz
dfa76cb3c6e26f0739c938d870672e2fed2979409d3fdba378e9a149a4595578
Socks5Systemz
+ 35 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240122-zepcfadfc7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
30d95706df86641fd4cc9cefa58fc61b2c79ccc8a3f0435ffbd6505e5a6cc568
MD5 hash:
13029fb2aa7dcd56002d0e84e98a9dd7
SHA1 hash:
49a0fb78aa21794c8c7b9fa5a0fd716e9e907527
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
SH256 hash:
4b4d668f37699aa176694707891b5e8b02808378b3aa9b4d5783a82aa78682ca
MD5 hash:
38adc82a1ce17e0e225a19855cb92b87
SHA1 hash:
4128a281985f81d3f12e650ba9e26cc6d0039d03
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
Parent samples :
44d3b36090f29f48969dba1638d31097243516188cfe62b62559c450c4303293
479179b35bf5ee0042940137db914a07d967139ae0725b3b94acf5173034356b
a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17
SH256 hash:
9e1aae7da18e3079d41c117aac93f6d1941482d6cbd368d071ae4420b362cfae
MD5 hash:
9c2793820a96e1dfe24d7f45f99c6368
SHA1 hash:
50a3d7ffbfb05cbc6e42e0779bc1de1e82913320
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
SH256 hash:
d5101254c0ef172877e25fc29101646c244e5061c7ef6bfa270197d04d01c9bd
MD5 hash:
d5bdebef2ab2622f4f4107317f723c39
SHA1 hash:
5b8d127dc4b9e58f1b2f24e83fa675c62c6b47f6
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
SH256 hash:
a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17
MD5 hash:
efeb409d7348a8ddf4edf55f338a337b
SHA1 hash:
6e1030634bf79d1b5b48a3313970c1fb986110d2
Link:
https://www.unpac.me/results/53907731-952a-4ef5-9940-32904ae9e54b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe a56db7832e5a3bec917ddda893b1137d6a2da4732a0c74ef7e67d9c995ca2c17

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745345/
  
URLhaus
https://urlhaus.abuse.ch/url/2745333/
  
URLhaus
https://urlhaus.abuse.ch/url/2745340/
  
URLhaus
https://urlhaus.abuse.ch/url/2745373/
  
URLhaus
https://urlhaus.abuse.ch/url/2745356/
  
URLhaus
https://urlhaus.abuse.ch/url/2745365/
  
URLhaus
https://urlhaus.abuse.ch/url/2745332/
  
URLhaus
https://urlhaus.abuse.ch/url/2749134/
  
URLhaus
https://urlhaus.abuse.ch/url/2745352/
Cape
Cape
https://www.capesandbox.com/analysis/472390/

Comments


Avatar
zbet commented on 2024-01-22 20:37:21 UTC

url : hxxp://lang.topteamlife.com/order/tuc4.exe