MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391
SHA3-384 hash: 69e207f2a5d1201c4af29037b1962d7e2dc74094908046fd15087ee2807d2a7469bb252a15a8a285ff9bace56b9d7301
SHA1 hash: 8f3fd908d09d1c14783da7be92c59044be00b951
MD5 hash: 4c79d8dd89f2e03d7567315c8ab611c8
humanhash: maryland-xray-hotel-california
File name:4c79d8dd89f2e03d7567315c8ab611c8
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:5'516'517 bytes
First seen:2024-01-22 11:05:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:Cn98jUacXVLc+d7c1/YYEI2lL9CYa4+39DYgODhh9NPY0Jqxv0Th93d358:Y985CVLcQgJILW4e9D/8hfY+Xk
Threatray 28 similar samples on MalwareBazaar
TLSH T1844633027F44A277D2918F34DCE2B348DB71FE5E1221461A2ABFE1C82C55BE41E762E5
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 90b2d09ab692c0e0 (6 x Socks5Systemz)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
312
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472264/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching a process
Modifying a system file
Creating a service
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65ae4c1beda27a7ac1ff1b46/reports/307c277b-4493-4586-850e-312189d220bc/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/507d9ea6-25ea-4f42-b7ba-88c6d53b7a4b
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1378665
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1378665 Sample: novwKq4Yfh.exe Startdate: 22/01/2024 Architecture: WINDOWS Score: 100 49 time.windows.com 2->49 53 Snort IDS alert for network traffic 2->53 55 Antivirus / Scanner detection for submitted sample 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 5 other signatures 2->59 9 novwKq4Yfh.exe 2 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 1 2->15         started        17 5 other processes 2->17 signatures3 process4 file5 45 C:\Users\user\AppData\...\novwKq4Yfh.tmp, PE32 9->45 dropped 19 novwKq4Yfh.tmp 21 69 9->19         started        63 Changes security center settings (notifications, updates, antivirus, firewall) 12->63 23 MpCmdRun.exe 2 12->23         started        signatures6 process7 file8 37 C:\Users\user\...\xappmarketmodule.exe, PE32 19->37 dropped 39 C:\Users\user\AppData\...\webrtc.dll (copy), PE32 19->39 dropped 41 C:\Users\user\AppData\...\unins000.exe (copy), PE32 19->41 dropped 43 51 other files (40 malicious) 19->43 dropped 61 Uses schtasks.exe or at.exe to add and modify task schedules 19->61 25 xappmarketmodule.exe 1 17 19->25         started        28 xappmarketmodule.exe 1 2 19->28         started        31 schtasks.exe 1 19->31         started        33 conhost.exe 23->33         started        signatures9 process10 dnsIp11 51 bfdudnd.com 185.196.8.22, 49708, 49709, 49710 SIMPLECARRER2IT Switzerland 25->51 47 C:\ProgramData\...\TVTunerClassic65.exe, PE32 28->47 dropped 35 conhost.exe 31->35         started        file12 process13
Score:
43%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-22 12:03:09 UTC
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vgrnoalhwwlbzz4g677khudvswn3qfclxqr5e3rptmqmmyx4ioiq._file
Verdict:
malicious
Similar samples:
0ff88c326a4448b0fb470313d3ad2a91d76f86798f8b9d1b7de612b507aec5d8
Socks5Systemz
36fe9b1f11f5c91836f0bd3a000ad5555c05fabdf489dd51fbb00b67b391b31d
Socks5Systemz
388c0bdae3a64d040bd07645d71f5738d3741ebb4618b74efb451db0dfdc70da
Socks5Systemz
3d0b4071ca579fd81b80d96665bca36d29f3dde90c139c12046754e79e4dd7dc
Socks5Systemz
83d85859a5c64caf407816eeea421be327483de6798ae2cdcf0fa87713afe5e5
Socks5Systemz
98dd0b13309f39e81a6078648b6f533f6ea409b314b41cba394305b379767ac0
Socks5Systemz
b3b8854c0dc1e5678ab99ae1c47f44a74eba795e1337a76f81cf236fa9e82f12
Socks5Systemz
dfa76cb3c6e26f0739c938d870672e2fed2979409d3fdba378e9a149a4595578
Socks5Systemz
+ 18 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240122-m7d1yseggm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
b465e01e582e92c9787c7832573b525a10d542d03a4451b5e8076c1adcd8e7d1
MD5 hash:
23522beeb0381b53e3b916d69ae3bfa8
SHA1 hash:
571e40fec326d208a1ae711bc38a9412c4ec1206
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
4d1a00857cbbf9b1f053845c538c954eb97d4b01045d61a3a7e88531979965e1
MD5 hash:
b2c686843c572b063b436afcf2c56268
SHA1 hash:
15cd98878a6b1c87ebbb5879d359b6a86aa0f1b1
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
Parent samples :
a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391
8ebd7fd5b84590f6f57ed35c7af93ca3c550b058b4939a3c9028ce7fb8a5f4e6
269fa5b0efcabd3bc4b8718e35c0e95284a280d920c32b2d68cf7418fb11cef0
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
936bfc8c6e6cad9010d9b50f562849894a659b9b0c5a3026b083dd651050bff3
MD5 hash:
4ac58c2eabaa3a2ee6a4f6e930276696
SHA1 hash:
e05f449d1ffefe0eb973502a1cebf6d267f78031
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
c1713a8a11ade32bf6b2f7cecf7fd6228eead55ee6ca8205293b62058e9f1fdc
MD5 hash:
368019920d060a564834a6584071ccab
SHA1 hash:
da34c7f4bb4ed858f92f5e7b72687cfa5b422d7e
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
485dd9ccc8ff238577d946c94bf8bb70e9f4cf4898c1c4d84386dba98dc821ec
MD5 hash:
b2f37236891b1f62c1e9b9379e1f36d9
SHA1 hash:
c3d1fdf16a574f3b92f5b7ec2071108a912bf4c8
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
SH256 hash:
a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391
MD5 hash:
4c79d8dd89f2e03d7567315c8ab611c8
SHA1 hash:
8f3fd908d09d1c14783da7be92c59044be00b951
Link:
https://www.unpac.me/results/05081271-6996-48f3-a7fd-23630ccc4ee7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe a9a2d70167b5961ce786f7fea3d075959bb8144bbc23d26e2f9b20c662fc4391

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745331/
  
URLhaus
https://urlhaus.abuse.ch/url/2745338/
  
URLhaus
https://urlhaus.abuse.ch/url/2745368/
Cape
Cape
https://www.capesandbox.com/analysis/472264/
  
URLhaus
https://urlhaus.abuse.ch/url/2745327/
  
URLhaus
https://urlhaus.abuse.ch/url/2745358/
  
URLhaus
https://urlhaus.abuse.ch/url/2745346/
  
URLhaus
https://urlhaus.abuse.ch/url/2748068/
  
URLhaus
https://urlhaus.abuse.ch/url/2745351/
  
URLhaus
https://urlhaus.abuse.ch/url/2745374/

Comments


Avatar
zbet commented on 2024-01-22 11:05:37 UTC

url : hxxps://loop.topteamlife.com/order/tuc5.exe