MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb
SHA3-384 hash:	deabe99511fe3dcce20e356090eed28c5cc87e93c06fb7c2996e8b92dc8ea0dac4c5b7cced06761fc506f36480757a92
SHA1 hash:	6a8897d9fe8c285f01fc50ef08122ff40aba7f64
MD5 hash:	9ac36d5d22c178fcf1ac12f272b052aa
humanhash:	harry-oxygen-early-cola
File name:	file
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	3'673'869 bytes
First seen:	2025-10-02 04:01:48 UTC
Last seen:	2025-10-10 04:05:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'453 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:I0maYujg1aJg5TVQ6VqXD6YOgJ/NKUrqsVF:0ujXiSwqXDJFH+4F
TLSH	T1220633DCA74081B2FB9563BA9853645A8D377F210E25B651F4C1CFCA8F621E1E0436EB
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe Socks5Systemz

Bitsight

url: http://178.16.55.189/files/7782139129/nNM31RQ.exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

0e074c82987b77386950abfd4d7df09c059e28235bd3b35214b0e75ec0039580

Verdict:

Malicious activity

Analysis date:

2025-10-01 18:59:59 UTC

Tags:

amadey auto generic redline stealer botnet rdp unlocker-eject tool loader autoit arch-exec stealc auto-startup evasion rat njrat bladabindi auto-reg banker grandoreiro purecrypter darkvision remote backdoor anti-evasion

Link:

https://app.any.run/tasks/509e279a-520b-4433-84ae-31a864bed8f8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/29859/

Detection(s):

SecuriteInfo.com.Downloader.Agent2.BJXB.15489.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ddf95d40b7da0b4eb97b14

Tags:

injection dropper virus

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Searching for synchronization primitives

Creating a file

Moving a recently created file

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context borland_delphi crypt fingerprint innosetup installer overlay packed unsafe

Link:

https://www.filescan.io/uploads/68ddf95074e5a289899d7367/reports/d866c984-36a9-4af3-888a-e94d517ea713/overview

Verdict:

Malicious

Labled as:

Adware.Popwina.fbjv/PSY

Link:

https://www.hybrid-analysis.com/sample/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-02T07:29:00Z UTC

Last seen:

2025-10-02T07:45:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Ekstak.sb BSS:Trojan.Win32.Generic Trojan-Proxy.Win32.Sok5Syz.sb UDS:DangerousObject.Multi.Generic

Link:

https://opentip.kaspersky.com/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/6f2f232e-a56b-4f21-a533-ad11c6e42f0c

Score:

64%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb/

Verdict:

Malicious

Threat:

Family.SOCKS5SYSTEMZ

Link:

https://tip.neiki.dev/file/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-01 11:43:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yghx5izj3klkygtpldgbb52j4wzlh7thwlwh3djukaz6o6bbhl5q._file

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/251002-el3hesgn4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Detect Socks5Systemz Payload

Socks5Systemz

Socks5systemz family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/256b1665-e7c1-4c82-871c-42f7957aa403

Unpacked files

SH256 hash:

c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb

MD5 hash:

9ac36d5d22c178fcf1ac12f272b052aa

SHA1 hash:

6a8897d9fe8c285f01fc50ef08122ff40aba7f64

Link:

https://www.unpac.me/results/cdf35d39-66de-4524-936e-52233369c005/

SH256 hash:

9b68a3165db52d4323be45b181c86583fee3d633e91643cbc3ab449d30566fe9

MD5 hash:

951a69e0f3f9b4a2c4386fd8a6ff683f

SHA1 hash:

35b72900493d5e8f0ce8fdec90c0970897b29590

Link:

https://www.unpac.me/results/cdf35d39-66de-4524-936e-52233369c005/

SH256 hash:

8ae984aba495b3d5205a5e7e834f4aeeaf7004711b1817e0fe1287ec96ae8e78

MD5 hash:

03be013d017676f1edb105c090be4704

SHA1 hash:

9ac53222182f0c25183f25ee573479ffc0a557ae

Link:

https://www.unpac.me/results/cdf35d39-66de-4524-936e-52233369c005/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/cdf35d39-66de-4524-936e-52233369c005/

SH256 hash:

4cb80b545b6118496f924ad54398bd73b56ce84e6e92e8a160ad84d4370285e4

MD5 hash:

e553a0c6661f36cda9ac5aa1dd762d52

SHA1 hash:

59482bcb699dda3ef8989945e90a33ff00fdc81d

Link:

https://www.unpac.me/results/cdf35d39-66de-4524-936e-52233369c005/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c18f7ea329da96ac1a6f58cc10f749e5b2b3fe67b2ec7d8d345033e778213afb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	ScanStringsInsocks5systemz Create hunting rule
Author:	Byambaa@pubcert.mn
Description:	Scans presence of the found strings using the in-house brute force method