MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
SHA3-384 hash: 39f334a8e6c951fa19d02d840c9619737a0dca2508389ed4e7d9d18562b7272d74621e5b6b0e3a753f984cbc23050de3
SHA1 hash: 8a24d85818ff9c9cc2b0863d228f9cb54e443742
MD5 hash: 078f9fcdf77fb93ae028eadb4d6c4e89
humanhash: music-mike-emma-stairway
File name:078f9fcdf77fb93ae028eadb4d6c4e89.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:1'768'960 bytes
First seen:2023-12-12 08:55:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:KkXNjoHsHnCVyVZwoCui6fFhmvqyD3jnDCiCAKC:NdjoHVZ/uZhQqyD3jnm
TLSH T1A7853302BBDC11B6ED366BB448FF12972A387DE28DB0912B6383D5461D729895C33372
TrID 41.1% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
http://scanintegrutybatowss.pw/api

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/466353/
Detection(s):
Sanesecurity.Malware.28840.BadO.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.Agent.EAOQ.26295.2066.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Launching a process
Sending a custom TCP request
Behavior that indicates a threat
Searching for the browser window
DNS request
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack anti-vm CAB control explorer installer lolbin packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/65782025da3178d99ce2952e/reports/b2c8cb40-87a5-4e6b-9aef-5454bbc6334e/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7846924e-7913-49ef-bafb-e1834cf10a65
Result
Threat name:
RedLine, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1359882
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to modify clipboard data
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies windows update settings
PE file has a writeable .text section
Phishing site detected (based on logo match)
Yara detected RedLine Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1359882 Sample: LiWS0F7fJI.exe Startdate: 12/12/2023 Architecture: WINDOWS Score: 96 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for dropped file 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 8 other signatures 2->90 10 LiWS0F7fJI.exe 1 4 2->10         started        13 chrome.exe 2->13         started        15 rundll32.exe 2->15         started        17 2 other processes 2->17 process3 file4 70 C:\Users\user\AppData\Local\...\dS7tU48.exe, PE32 10->70 dropped 72 C:\Users\user\AppData\Local\...\7Gn2qK73.exe, PE32 10->72 dropped 19 dS7tU48.exe 1 4 10->19         started        23 chrome.exe 13->23         started        process5 file6 62 C:\Users\user\AppData\Local\...\Um9hz29.exe, PE32 19->62 dropped 64 C:\Users\user\AppData\Local\...\4Ho456Ze.exe, PE32 19->64 dropped 92 Antivirus detection for dropped file 19->92 94 Machine Learning detection for dropped file 19->94 25 Um9hz29.exe 1 4 19->25         started        signatures7 process8 file9 66 C:\Users\user\AppData\Local\...\2Ci7004.exe, PE32 25->66 dropped 68 C:\Users\user\AppData\Local\...\1aY71ck2.exe, PE32 25->68 dropped 96 Binary is likely a compiled AutoIt script file 25->96 98 Machine Learning detection for dropped file 25->98 29 1aY71ck2.exe 12 25->29         started        32 2Ci7004.exe 9 1 25->32         started        signatures10 process11 signatures12 100 Binary is likely a compiled AutoIt script file 29->100 102 Machine Learning detection for dropped file 29->102 104 Found API chain indicative of sandbox detection 29->104 106 Contains functionality to modify clipboard data 29->106 34 chrome.exe 1 29->34         started        37 chrome.exe 29->37         started        39 chrome.exe 29->39         started        41 7 other processes 29->41 108 Modifies windows update settings 32->108 110 Disables Windows Defender Tamper protection 32->110 112 Disable Windows Defender notifications (registry) 32->112 114 Disable Windows Defender real time protection (registry) 32->114 process13 dnsIp14 74 192.168.2.7 unknown unknown 34->74 76 239.255.255.250 unknown Reserved 34->76 43 chrome.exe 34->43         started        46 chrome.exe 34->46         started        48 chrome.exe 34->48         started        50 chrome.exe 37->50         started        52 chrome.exe 39->52         started        54 chrome.exe 41->54         started        56 chrome.exe 41->56         started        58 chrome.exe 41->58         started        60 4 other processes 41->60 process15 dnsIp16 78 twitter.com 104.244.42.129 TWITTERUS United States 43->78 80 tpop-api.twitter.com 104.244.42.194 TWITTERUS United States 43->80 82 96 other IPs or domains 43->82
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862/
Threat name:
Win32.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-12-12 08:56:06 UTC
File Type:
PE (Exe)
Extracted files:
200
AV detection:
18 of 22 (81.82%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvuhslul3qge65ztuifieolqvvbpp3i6oavmlzzofpozxagkxbra._file
Verdict:
malicious
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:redline family:risepro family:smokeloader botnet:@oleh_ps botnet:livetraffic backdoor brand:paypal collection discovery evasion infostealer loader persistence phishing spyware stealer trojan
Link:
https://tria.ge/reports/231212-kv1m3sbeh8/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Modifies Internet Explorer settings
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
AutoIT Executable
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
.NET Reactor proctector
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Modifies Windows Defender Real-time Protection settings
PrivateLoader
RedLine
RedLine payload
RisePro
SmokeLoader
Malware Config
C2 Extraction:
http://81.19.131.34/fks/index.php
193.233.132.51
77.105.132.87:17066
176.123.7.190:32927
Unpacked files
SH256 hash:
5e99d197230ad8be69b60aefb85e361dbea75105456ced2539d9ee164b29cc73
MD5 hash:
c6cb58b06fc2f263b9bb2f218fc9f97f
SHA1 hash:
3c718a7f75f2c1e0eb80a3bec2cd3a24ed587fe8
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
Parent samples :
78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3
bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
SH256 hash:
6c43ee7b706ac0caaf49e939d1faecf220a5383d3a4a2fe7d5c02f87ec4791a0
MD5 hash:
22284609400a9fc252cbed79d4dfdd1c
SHA1 hash:
2fabbadd91eaf3ed408a9c95a68fcb2c053cd18c
Detections:
INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
Parent samples :
78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3
bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
SH256 hash:
cea214c1d74bbd57446f2aa8611354a1f3193704da07e01bb9465e352d2c8988
MD5 hash:
12dc6ba1850dd6dd87c3c57878e6eff2
SHA1 hash:
425c65aa6b331e0cbec4db5c8111144699ce98bb
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MALWARE_Win_RedLine
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
SH256 hash:
6e9d1b6e5b09b06dc74fba4e0a8cd3236563cec93f1c4e5486683924a5cfa6cc
MD5 hash:
79625ef5017cd8883ec5a17faf691f09
SHA1 hash:
16fb0df383be2027f9f1367c0787c22eca701343
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
Parent samples :
78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3
bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
f977db2d43fc46345f2711d8f6ade913ad807ab9b1f0988e2fd01fc45406faa0
SH256 hash:
590ebbe0a589aa550f1574bf1f3a06c012942521becbfed24ef75439a0997165
MD5 hash:
5eb711ed09f12a1b57d6fee4c0f955df
SHA1 hash:
fb7d32f77af4d656e6b8fd12494ef175e2965cc9
Detections:
win_smokeloader_a2
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
SH256 hash:
b8cad880ebde6eed002a43f59b3a34b894b0e019738660124b747059ef313a77
MD5 hash:
5b74267621d9c935ae8aee8a49f7cf54
SHA1 hash:
a51ca5b85be9ce2af590ee0ea3446b52decf91b3
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
SH256 hash:
0d28f4b1fe3e647c35d482f56d1e815f54c68154f81b7fcca1d2c478d49cd135
MD5 hash:
12a9f626511424d4d73f70314ccfabdd
SHA1 hash:
bc82f584a736273a58ed6f41159a2fe0a4e61f40
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
SH256 hash:
bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862
MD5 hash:
078f9fcdf77fb93ae028eadb4d6c4e89
SHA1 hash:
8a24d85818ff9c9cc2b0863d228f9cb54e443742
Detections:
win_redline_wextract_hunting_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/82a8d7e8-83eb-4688-9424-306ef89e123c/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bd68792e8bdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:win_redline_wextract_hunting_oct_2023
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects wextract archives related to redline/amadey

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe bd68792e8bdc0c4f7733a20a823970ad42f7ed1e702ac5e72e2bdd9b80cab862

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2738241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/466353/

Comments