MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52
SHA3-384 hash: bf51f8ef7c5c5e19517c3617c7a20876f808f7b1cc9ed7bba8698d6608437ae7018448ba13902eb0d2a6fe793092e349
SHA1 hash: 285525970566b317e87faa0a5b5a81e71a2b28cb
MD5 hash: a78a13e164a0bef1add0488036cf0d54
humanhash: table-december-echo-summer
File name:tuc3.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'512'392 bytes
First seen:2023-12-12 16:20:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'454 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:Ixm50EF70ZaWLZ97vnC8LpS7+bI9cpSzj:SEt0Zak7aIA7kSzj
TLSH T1B17633C18AAD97BFFE549EB02481E671A1232EF2AE6D5831B0BE932F5FD3250445D350
TrID 80.0% (.EXE) Inno Setup installer (107240/4/30)
10.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.EXE) Win32 Executable (generic) (4505/5/1)
1.5% (.EXE) Win16/32 Executable Delphi generic (2072/23)
1.5% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00f8dcdcdcbebe00 (621 x Socks5Systemz)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc3.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/466686/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657888728b5ba47db2e04338/reports/cb7582b2-b3ee-4dd4-ac96-e05703bbd894/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1361006
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1361006 Sample: tuc3.exe Startdate: 13/12/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 6 other signatures 2->53 8 tuc3.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...\tuc3.tmp, PE32 8->33 dropped 11 tuc3.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\numGIF\numgif.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-VI1P9.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-JTGMT.tmp, PE32 11->39 dropped 41 56 other files (none is malicious) 11->41 dropped 55 Uses schtasks.exe or at.exe to add and modify task schedules 11->55 15 numgif.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 numgif.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 ddehufv.info 185.196.8.22, 49735, 49737, 49738 SIMPLECARRER2IT Switzerland 15->43 45 95.216.227.177, 2023, 49735, 49773 HETZNER-ASDE Germany 15->45 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\M73Bitrate\M73Bitrate.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 16:21:05 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vtoveerhhh5a2mwtmngicr26m242gbtr7uhrdnzf3d2xsdqh7rja._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231212-ttm52ahgh2/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
c9278f17730a4078d3b28e349d31dbdab961d8b61aab7b710f088d0f03a033c8
MD5 hash:
dcd2f5ab1e14cdd37fa4de9cac79f521
SHA1 hash:
c87577e55433a5f51080374337467a66283f0c68
Link:
https://www.unpac.me/results/a5914e5c-bae8-479d-9e42-95fcf5636799/
SH256 hash:
d956068914faacb854a9df1a784a918b75db8541778162985565fee0596c176e
MD5 hash:
f0c3bce5f3e8d3dc6203992659a2b644
SHA1 hash:
4677e918d1bfda08c1b9fe9e0fbe79dd48fe6725
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/a5914e5c-bae8-479d-9e42-95fcf5636799/
Parent samples :
f7ded3ace79dfa17068938bf8fd458338f9573960ab75739b3993ca1699783bc
0d4f07a8123d5305a9240bee6287d5dc8ce2ad0a6b80e7976c786e6a8a78d864
97263d3d1d6cd4d2c64d0042b713de95bf8ec4619aa0a16145bc11cb4ee56990
428d114b1dc4b27834417e605c62ff20b4abc4782717586ecf9a7e95f5f18b95
233b5e1dbe1fe4646e59dbc0ae9c01163dcf605c479ad0fc3647f43a7942a874
2bc3e4ce86eb3ea1132751a8d7dfd6014826456bc4386b1204d1890eec924a76
af2deeda0aa90cc9dffa5753a6d3221d0d9ca68349a3c59543a19f916485c823
6a2f19d0709fd3ca608de2aa17da02dc88c41b6c1717062cc16ead0e4de8ddc7
bbe1c177f62ff9e42f302d33ff748361b36bd758668dafc2c7cd5e0a2a0f3bfc
a72d358accb6742be87d30b4ef6df83a692213f55fe8d4c5d1770f8b3b1ab15b
94cf49bb2f08ab8dfa76f0199903d42922821fa584cf721afa544f552798a039
b249a095cbb085d78f7fb17af820afcb85b616a45d6e0668599653ed40186289
2f215a325088575bc1002bca75baf8629715ff71d296e60377f4700f8d83d268
5b363b837d4f6f2a8ebdb1a722a17c0907839f82d4efd64f117c8c44145c7bb2
ee64643f2b172f59667db8bcb9852997fd8a640e021353d80e5fa513ee1f50e8
6cc41f4e6e9c04fc8fb2d30bd3a73d1c3639f7ed630effaf82e7ae0558a424d9
e806c565a582ce9bd80f63133561cfdc726f40ce14e4736ca6ff0e27492fd9b2
43848979748958a5804fd43adf5e86c73d28caa07976b63931fd166731ceb165
a98d05548ad3518e112254e4514b9c7f8b39b4b01a9a1b9d48b318832a2c6dbd
b122e6423ca1f900103a13d57396bd865a8416f68ab8226912def33a1ed2e1bc
358a4dca9756a07e162802479f2c02e51a4442dc06c5f04ba91e57f60c6f1b86
a8c1ac9575fbacb880b46937828bcf41f54e7734a3871f5bbaa2ca5f704c913f
e04ba12b4b2e4772d9fd29091b7f6deb8c438121c58748904470ac31fc66bbde
d5762040d29e5b431860b708839837bfd80942589883d98fb7ce38b50618f26c
ad3af1aea07098429555105aa41828470c9f049c26a3cba6c912cbb9f788a388
298f128e657453e765c6e4c42efd989512492cf3ee9bc0e1099be9e70966dcbd
cc1b6ad80a4f94fcc98953a10caae4fde205a02df9b2d3affd41d0d3445dd4c4
cff9c67261b5fedc4057f23083431dc04b9004152ba53d8026eb46d42a5607eb
a232c6af1ae8d06d3e0c203baef715415c8c967debc74c3ec165f8c04632ea6d
f1a698a7f6aad7391bae82e6f0d52929465352c95c774c2c0997b778031d450a
2571da57228a6cd4b5f324406d2beb2b30d048e1000fd7cfa263eb34aec36469
7628050bfbfa431347533b964229d516466bd125ee7b76cd562a3525c2d7c7a8
beb35f655276a2ddde48adb4b446d687add50a33871c1f97a47616b3ccaf9cf2
593ba7549eea9ca42dad4a20494bf603e261264917703d1e3d8f3a455294d871
27e5279f86d23b4351efdc2b01f105bbea9d0dac9e89c191a833ef4b674df1c9
45e3659db766fe96981c76655d2cc2d63f614a143f2209d354a7c9e55e2be351
7f2e189f39c7bde57c8939257c598bf29a0b95bc49fbe46a34b402d13d64c0f1
a43c4920425fe59040a19efbae93db9b9321a5a2da6cd973c729d5f868d007bb
250cfd37654951d06fca146f8e41209a00c54d56955b406b5041556cd2d43eb9
58fc01e7c3884b207b2c0dc7cc4551aa25dde65a2a9e3b0f86ccb8dd5e845c82
41e8f2bdf7eaafd1d1d4b5a9dcdb419acfc8d0833e139bda35accf72d790cab5
b76594e03af1ca4fe335d9abba412c691461887e016414d1b92f977cbaac2dea
fae9ed95ba748185f3efff5b6c8c155e6ba938feb17c4238433b53b17f955c1c
786b86408155eb12182c5b57185b9c53875b70f085789f99aae7bc55c7e8f56a
93fab417459b748dc725c82490db5fff79543826cff9f7bd28526304661004c1
cdd1de583fbd9c8c3aba8fbfa488087a2dc3dcde0c16f0a27ae6c3f785693043
fdaad63508c8f0d5a49b174e6b7e9f3d6f5268eb7ce9370e332fe68e3830661b
adfdd165b47688df3875f31360c7cb6f23ad6fc59641ec93ae523536813798fa
a12e8dd1b4dd22cc1ed61cdfd0bef87bb98d632e043af88c27af761a01381363
379f486dd4e60c0df65465c6cf28ccc4ab533d759b998ef9733a73739fcfa314
8f317e41119d1e018580fdd367faf13ba783c4a3ed3b5b2bce0c3dfae3663ae8
5fc6e35c7557eb50d005ea6dfb806e6e495942c2570a7e12cfd93fd22f794a3b
c7144d368a17a94f31d8d94808a8772d57560beb5534f77fd4331c84e96fbe2f
b5a2994d3e14d3e6a147ef07f0e7300a5c0bbcd7372cda08bae981ed0343da1e
acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52
61517ba07c01d59c27ef0c05bf7175d3a29ad85ef4902a5ab07845aa93eccbc6
d432bbc4a13c58a8cda34e773008c62dd56b12c3aeb2d7f372f548db0851fb93
f23305b571f44fd600a6760de619691d98eec150bdb80eebac9e5c1e91098c18
8769f5409f488ef3f1699f6ad01bc219fae2b330dfd90a7eaa60e516f5fb2f09
c4de5e4f8e2caab49eb166984d9f21b3ef5deb2e08a83f5facdea239a2f5e277
f2e2e2a38448bd46c3cfff4ef0d6e5d5dfe1c156ec5ec6d0ee7ae508b9c396b0
87b0fd0d80b0c86c50aee439fa8722c8ef0cb28e8124d29b04af101177195c23
029eda9b328425aa1c86d3abdd06f5439c1b551a2f6bca1370b876a66654c1e5
7655628d4cf34b89b3eda96f7cb4ba31489401ca2bf09d60fc5dbf83a30384d0
d44947f6b7d5efa41b4786890de1549d4975f39a8cb18d74e5dbf3c934ec135c
257ddc754ca0234357acd566cdcaf175daa868fd1649d58c08479d6880b90ef5
b6f432f88428ade9b0f31ffe710bfba0bdc8887a986c503640ee939fc2fe8096
ad7d628fa0094e615f16e47f6d8cc86323a971cd5e78334fca5d96bfb0ffe8dd
7f1f01f0a161df6bbe2fee2f13b98e6ba97807f00cfe866b667a915d4864f144
09ae7db1af0332e03b92addd5118a7573372ceae46e54014caf7e73035586860
20e75ea9724504f470edc76e57b451904859c344e926ebf897ca68bd35247e32
a9e96d67119abfeb34aff6a851694aae50b1b2f36c60f1b28c60ee51037cf83a
fe47e978988fe94aa7f721d8321d5ca591116e02bfc4f04aa66ceb8d2234d852
201278872af3a8fe46d2046b2a8f990bcd9e541cb206f53f3ac8612afe0c90cb
c772d33d9757d8475197224c3304046f3e7e10695c09c878670e7dbd73f4fbbc
65b64707a31e50cb55303b8ba33e4710af1e6853d3503dd695aaadff1deefc2c
3962c33ef47d971d43bd269c85b6c742a97a4039f7ab5a21169cd8c5a76af51e
af99f8a0ceca7c280ea97478ff69ff2d78bfcc351057402cb556f8a9908e538f
652f8c7a62dee99587f52a269311fb003e47e1cb8499325184deb3bd2b4625d7
15ce7234b67f42c910fd83420ecfc9d70163efa507304b078c2f6bbdd468880f
1d939e5cc2f54e573004f85b76ce397138c9bad00f06242c62160caafdc8e4f4
b7a5c534e3955c36e200f3c5bb63263d22d2d33443f2c1a61464f5919f26b5ab
1b9af26e88bc6ed4f3d0c90f52e736f213d45e53729e4b67e035ba744157e4d5
28ef053a73f03433772a6b5f31d1cdf6e0d6785dd48260319bf30b8e7dd1748f
7d8250e43882b7b14f159fed218227cc25d1bd707a00355f6743d04d56bd12ef
a3f7e5b6506f4e70c19e9ee7efc5d1129b1aa89523b8e33a102ced9d9b47c570
7822a6ecbeba8de673851f236d5b492d23905a0e6db792388da2e298b762a706
8ca04a932b2b5be57c417de033c8b0f80fbd57b8d213121cda6b15e2e064cc3d
9c4653ad6d68e9f3d5fc186a7fb0c5fd61873aa59446037a9af52bb22bf06b09
cf67953e521bf68750ed341574183ac63be5fbe164c9dcee6c41a200ed74719d
a130ced52f95ff0fbff6250b910a17e301162ecc2c2d4a6e2b3d9ba3d05617d5
e550c7afb8843e5ef68013511c8070c0bfa75d0f66f77d349fa2ac99ba8b3769
d64c68d80097df4afe36ef0aa0a1e79affd9a0068abcc00333ceee3da087ac2d
85e4c4256c322cf05eeeed7df188de2f072bf00cead7078dc68979c2d2ffdc89
459906ab2987a081517063255790e7c63f495fef37924dc4300d021fbe5fb324
0b67304e137cac1c6f2b20cdc1b45e4bbceefdd7f72a6d8a7be4a997f285be56
cabd06dbe23a1c638dd34c690e55a9fd0390796de88c1c2936468ab84b7d3cee
e27e526478f88551f33ff83ac039b45fc62e4e2ae2577307e02a48febf87ddec
ba1c035c053fe441ca6e54866bcc0d8d1597bed2e1b858904721a4b3fca29abf
8cd23f3ef9a5c03f82139411be178a98db2020fcabfb344c1e824398294b4202
056cdc59ad477b646ca0d7e144dc0913b50b0491e884ffab9e91da2b0985768d
ba19272c66d28532f514a75699b348fbd63e64dc6c0825e80bf2334e09e2fa8a
fb0ef3ef8c129f3d784e33c0545e311677da22cb06f5521fc4db1bcd952d2b58
4fdf051b1f95d6965c80bed13eef09e6792223e0ec163f9806bcd8881f5fec64
1fc0c130d186d1d55a20d0b661f0c3475544f03ac24872c81341b72e11c1d58c
2186783c7bcc3c2efa0f625ccc1ba799e1a45f83df65c90aec1a7a8113d44994
0214a105a5320ad38b93df15124000a9581eb83630d126eb7d82306e535f172b
6783996813ae63db12580e51b294f6e7e0f3ab297b3ddaf7ef7e2432b24774d2
5440db9e547551917b2aa979cfbea81b24403eee4e8c3b23a4dbbd256121d0bb
SH256 hash:
17f2152345a2c165936cedbc6c7cb411a52ffd2939535a55b7758384bf19faf8
MD5 hash:
3268d38c741a1a4c167feb5156634f8e
SHA1 hash:
8f9084e3bf0dda70b43cdb59da868fdbd2252c83
Link:
https://www.unpac.me/results/a5914e5c-bae8-479d-9e42-95fcf5636799/
SH256 hash:
c7029a0203cbe9121c0eb4e3282522b59541bafa484b61afadb74ef5c39f65f6
MD5 hash:
b641f1081f48b8d049cb6f28703710df
SHA1 hash:
566fd6214d2881e72f4386ac5a71bd0a95e2946f
Link:
https://www.unpac.me/results/a5914e5c-bae8-479d-9e42-95fcf5636799/
SH256 hash:
acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52
MD5 hash:
a78a13e164a0bef1add0488036cf0d54
SHA1 hash:
285525970566b317e87faa0a5b5a81e71a2b28cb
Link:
https://www.unpac.me/results/a5914e5c-bae8-479d-9e42-95fcf5636799/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/acdd52122739fa0d32d3634c81475e66b9a30671fd0f11b725d8f5790e07fc52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc3.exe
Cape
Cape
https://www.capesandbox.com/analysis/466686/

Comments