MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71
SHA3-384 hash: fe863d8a03a9582e4883c90705e26097ad146b57acb46c4e2ee97d529aa2186c3e37793d63f59b74212ce4c5c4bd11ac
SHA1 hash: cf4b296b1abb3e938fa29a983ad4b7577de20f2b
MD5 hash: cb4e8358a58de5cd176e3c4bbe264043
humanhash: five-virginia-hawaii-spring
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'839'168 bytes
First seen:2024-08-23 13:33:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'507 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:g/VHo5FtMIF6lxYGduFlu3mSX/9ZfVJXtH5:RrdF6lxngq3jlZfXtH5
Threatray 10 similar samples on MalwareBazaar
TLSH T1FB0633815A204631C0306E30804D76FADF617EAD58F5192C7AAC9ADE4B6FBF25802F77
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter Bitsight
Tags:exe signed Socks5Systemz

Code Signing Certificate

Organisation:Max Biotech Limited
Issuer:SSL.com Code Signing Intermediate CA RSA R1
Algorithm:sha256WithRSAEncryption
Valid from:2024-03-14T20:30:17Z
Valid to:2025-03-14T20:30:17Z
Serial number: 4e2ce404aef344ebb3b87654f2c98422
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 0a030b000ea3fcfb9cf471a434ee13eeca60ba155f6655389c50f3c6db018b12
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Bitsight
url: http://176.113.115.33/ssl/install.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
376
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2024-08-23 13:35:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8650f80-2cc1-4662-ae75-2b24ea4a29da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.UntrustedCertificate.OpenCandy7AF.8482.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c88fcce7ff3f5a063bce21
Tags:
Encryption Generic Static Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a service
Launching a process
Modifying a system file
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66c88fcc950c378bfba51a08/reports/c7aa4d1d-3185-4cf1-b18f-fcea675763de/overview
Verdict:
Suspicious
Labled as:
Trojan/Kryptik.hvka
Link:
https://www.hybrid-analysis.com/sample/b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f11a3ea4-1699-41a7-8437-5ea7c3f057f4
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1498051
Signature
AI detected suspicious sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Found malware configuration
Machine Learning detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
47%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-23 13:34:12 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whiw3dtja7yvwwb7nlv6h2uzq3o2qbzhl255eonf7x47xwvirnyq._file
Verdict:
suspicious
Similar samples:
7745f0a86461b90e7cd33dc0303235714fe069e8b62f9b8687ca04fb906ba3e8
Socks5Systemz
aa0d0e6b9d2837caba23565e62911125f3f9135a642c3216ce98b4ca92b6a320
Socks5Systemz
e20bb6153559ff51bf82ef914d172fbb4b7300ab648f967ece0d02404ff06542
Socks5Systemz
fec8e6f6b14a88b99cae2e25ecac09cc605c0d3b73402c9b3f14f874f6b3cb22
Socks5Systemz
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240823-qt4agawhpe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b84e9eeb-1727-4bcb-9e73-b5c9ac1cb5ba
Unpacked files
SH256 hash:
c6034ccd57501db0e94614e222e243f949104d2b03fca5816b85e9e213557aa9
MD5 hash:
b07a7ef3d79a4584c0ce69528dc775a9
SHA1 hash:
d869986021dcd8a5ff3f6d15f089c1753ec3e4b1
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
SH256 hash:
b64548026e17445881a3bd8440fd501782b099e8310798b7b2fa0f4e7d114256
MD5 hash:
92f828fc9602835e9e50a0478d4903b4
SHA1 hash:
49fe3244fd7349b60167e16ee7e3b424b81c5518
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
SH256 hash:
8d3b5464f9127a495587c0bce600e7081d2d50fd44293416b8ff660333bac6b9
MD5 hash:
6dc95063f87001fa121c5ade18b3a134
SHA1 hash:
492b09d87e6773a43b96782c02bd21c2db0e6eef
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
SH256 hash:
ef733ca6cdfd0c4c2be6168e0f51c8a9cf14470f3f8330e699f34fd38644b0a0
MD5 hash:
379268764b8e28f9f8b1c56d04d7318f
SHA1 hash:
39f76295cd638c8dcfe31390a8c3129646e82a71
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
SH256 hash:
b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71
MD5 hash:
cb4e8358a58de5cd176e3c4bbe264043
SHA1 hash:
cf4b296b1abb3e938fa29a983ad4b7577de20f2b
Link:
https://www.unpac.me/results/e04b9293-30c1-4a62-a665-5f40dfbbf2af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe b1d16d8e6907f15b583f6aebe3ea9986dda807275ebbd239a5fdf9fbdaa88b71

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3124389/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments