MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031
SHA3-384 hash:	9caef52d32a5eeee2d9d37d7d5ce259dc0e4afd2bb8cdecbf5e3e2283e4a6061a2f01c2db0c9b6d026d29220a6119d5b
SHA1 hash:	5f47397b0bfbd21f287d007ec27f41ed5c6ebb09
MD5 hash:	1da168ace0c7f63a43de8739a5f15ec4
humanhash:	summer-jersey-bluebird-angel
File name:	1da168ace0c7f63a43de8739a5f15ec4.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	2'511'489 bytes
First seen:	2024-02-27 01:25:19 UTC
Last seen:	2024-07-24 20:29:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	49152:1qX6M+KuILTi7HJ/LSxDBAChLvexF9dQEd8w6NxRSjScvEHqaaTKtWZI0aQiHJB:IXq5T7HJ/LSBhhCdJkwjUQuYaQiH7
Threatray	1 similar samples on MalwareBazaar
TLSH	T193C5331ADB448A33F8A3A6F17D25EC95BD8ABC884D7C61C433CCCD8C1F627A6A615741
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Socks5Systemz

abuse_ch

Socks5Systemz C2:
93.123.39.219:80

Intelligence

File Origin

# of uploads :

# of downloads :

317

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/477900/

Detection(s):

SecuriteInfo.com.Downloader.Agent2.BJXB.15489.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint installer lolbin overlay packed shell32

Link:

https://www.filescan.io/uploads/65dd3a2c26f1ddc579ab7328/reports/59fff0f4-bd2d-45d3-856a-ac203e76b52a/overview

Verdict:

Malicious

Labled as:

Win/grayware_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/7f38c718-4f7a-4ceb-9a9a-39707a118975

Score:

22%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-02-27 01:26:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 24 (45.83%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=whm2yvbqo2pj4ylxrgvkif75cjgkrst2d24stqywqwzyppu5wayq._file

Verdict:

malicious

Socks5Systemz

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240227-bthw7sde51/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

http://aiibnxt.ru/search/?q=67e28dd83d5fa62d1358fa4d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923b6f87f616c2ec9c
http://aicwbye.ru/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef718c9e897993a
http://aicwbye.ru/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12eab517aa5c96bd86ea95834e96148ab2865b77f80ebad9c20f7cb63037ed2ab423a43b4383ba915d911ec07bb606a0708727e40ea678c45abbe74ffb0e2807e12571c17f3e83fe16c0e79c933ccf6c97

Unpacked files

SH256 hash:

cb59e41f1dea37ace158943c9cec4ca72124f4d9afafadf6debe05984cf96ce6

MD5 hash:

5c1e64823274becfe67ee15d4a1cb19e

SHA1 hash:

79ead64a2c50d0e721e09a12d21a6c7b540dbfe9

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

SH256 hash:

29824e6b552a49815f956eee3b7fb5711e0ac0af368f3acb9034cddcc681dc6b

MD5 hash:

05d1027da617d8b05d8fe7ba9e925b59

SHA1 hash:

c30071c6bc305e6105a6514373e33f6a5fdfaba0

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

SH256 hash:

e4fc574a01b272c2d0aed0ec813f6d75212e2a15a5f5c417129dd65d69768f40

MD5 hash:

c8871efd8af2cf4d9d42d1ff8fadbf89

SHA1 hash:

d0eacd5322c036554d509c7566f0bcc7607209bd

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

SH256 hash:

e21400a6bc240048bd4795180c1719e21dac4ce5a117e6801455298b5990a596

MD5 hash:

42ce4da77bdee0f33f6eec71e7e2e857

SHA1 hash:

87634280c562934eb2c775e2dfea850a22234ebe

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

SH256 hash:

b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031

MD5 hash:

1da168ace0c7f63a43de8739a5f15ec4

SHA1 hash:

5f47397b0bfbd21f287d007ec27f41ed5c6ebb09

Link:

https://www.unpac.me/results/8460be86-d7fc-45cd-b990-b13f9a70523b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Socks5 Systemz

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe b1d9ac5430769e9e617789aaa417fd124ca8ca7a1eb929c31685b387be9db031

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2766920/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2770372/

URLhaus

https://urlhaus.abuse.ch/url/2758623/

Cape

https://www.capesandbox.com/analysis/477900/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample