MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments 1

SHA256 hash:	d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620
SHA3-384 hash:	ef05c02d5367e16a11cd2bdb8a1ab2f5b4f3d23ab1a91fc17354bda68e2d61618ae1f4c88bf862a2dba4afc52625fdf4
SHA1 hash:	3712ce2bcb0fd6a8576c60f66176487addf54735
MD5 hash:	24155d792f151abc186710404a756ab2
humanhash:	uranus-kansas-venus-winner
File name:	24155d792f151abc186710404a756ab2
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	4'573'627 bytes
First seen:	2024-05-11 03:51:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'460 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep	98304:VzyhXV/Kr3xXBMcAlq91OahsyI4jGh1SWu3Kl0RvSt:2tKtXGcAlqrOgs8GM73dv6
Threatray	764 similar samples on MalwareBazaar
TLSH	T16826333E30960033D65345B61565DB17BCD6FBDA70E36280B13A06EF7EABA4C3086B52
TrID	76.2% (.EXE) Inno Setup installer (107240/4/30) 10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	zbetcheckin
Tags:	32 exe Socks5Systemz

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620.exe

Verdict:

Malicious activity

Analysis date:

2024-05-11 03:53:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/848fb923-f2e7-49f1-b6be-f112624b52e1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Trojan.Moneyinst.746.21331.248.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Creating a process from a recently created file

Сreating synchronization primitives

Searching for the window

Creating a file

Moving a recently created file

Modifying a system file

Creating a service

Enabling autorun for a service

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

fingerprint installer lolbin overlay packed risepro shell32

Link:

https://www.filescan.io/uploads/663eeb631c9796b80aba98c4/reports/b851f76f-fff8-4bfb-b1de-5f7b37f7de74/overview

Verdict:

Suspicious

Labled as:

HEUR/AGEN.1372994

Link:

https://www.hybrid-analysis.com/sample/d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c228a81d-ff47-4f94-9a27-b8233a8317f9

Result

Threat name:

Socks5Systemz

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1439944

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Found malware configuration

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Socks5Systemz

Behaviour

Behavior Graph:

Download SVG

Score:

86%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2024-05-11 02:22:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

10 of 24 (41.67%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2vcdgzv5nmj6tq5hsqwlblnja5ef3rihthr65kesceikschcayqa._file

Verdict:

unknown

Socks5Systemz

1464acc46c09c24e0b15b76c355a2665a221064dfaf885a75c6b91cafc961785

Socks5Systemz

303f48ee385460aed18613b31b729d7adf437313e9190bcf5e1aca126bc88368

Socks5Systemz

4589960a9a31c7dbdb6687e3d336cfa69660969b40e00d5dfb9f578ee6d2b26f

Socks5Systemz

5fb04dd2f4c026af1ac7a9ec258f029367eb227c8e0ae8e854f33544868bf0bd

Socks5Systemz

a20ab4ef8402d5cb92e5e5991cf6f5778a8ccd2cbab02b57a2adf33e46a1715a

Socks5Systemz

a283083eea81bfe5d7fc1c5203af7e2995e88a87a019702eeff18a6572bb86f0

Socks5Systemz

aee7699b3ec508b621d68c6e7f235007756d688e40ab6fd360d84b9b592acdc7

Socks5Systemz

d32ac5d2e850f72fc00483a0a8576bb59adee025670ee1aa499344c708ce184f

Socks5Systemz

e09a18963c0d27d11e0587c5ec0c55563b77f83042ced18825b00457ec9af0bd

Socks5Systemz

+ 754 additional samples on MalwareBazaar

Result

Malware family:

socks5systemz

Score:

10/10

Tags:

family:socks5systemz botnet discovery

Link:

https://tria.ge/reports/240511-ee283sbg8z/

Behaviour

Suspicious use of WriteProcessMemory

Checks installed software on the system

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Detect Socks5Systemz Payload

Socks5Systemz

Malware Config

C2 Extraction:

http://erlbrwo.ua/search/?q=67e28dd83f0bf1291606a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f171ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a628df618c5e694
http://erlbrwo.ua/search/?q=67e28dd83f0bf1291606a9177c27d78406abdd88be4b12eab517aa5c96bd86ee91824a835a8bbc896c58e713bc90c91836b5281fc235a925ed3e52d6bd974a95129070b616e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c5ec9c933ec46e
http://bulbluu.com/search/?q=67e28dd86b5cf27c420ff9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a371ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa12c9e6909232
http://bulbluu.com/search/?q=67e28dd86b5cf27c420ff9177c27d78406abdd88be4b12eab517aa5c96bd86ef90874e835a8bbc896c58e713bc90c91936b5281fc235a925ed3e00d6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee909932c46a9e1f

Unpacked files

SH256 hash:

9c774333455b2c4cf39859a48af98865afa0f65d1c153540d7fa6ffd2966386c

MD5 hash:

f5ef7dda0a20d520d2ea04c0da74a2ef

SHA1 hash:

5a784d4a1c98c173fb1a956f71a0245311a3c544

Detections:

Socks5Systemz

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

Parent samples :

d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620
4290538536fec9e39e474454088ca2ab49f85e1f73a28f4dca9d02193f678ba6
59d2219b77a96d7f81e897e2cfd2f7db8003d59502d070b6c4f1cd83c853fb60
fd710dcf20f70aa20147e7ccc428cd7d9a4373f650f51d1903ed0dd29169869d
5ee48d2691192b4e7a0b8a571a64e463501abf0fed4aa56fafa73f276b18197d
6189a16383acf0d3f462ddbc89da19d8ae11d51d570d68108ce75e72fe1bbe99
7fcf9da4f0365c791ee2e24a2cdf92f2a42c130ea851380096c267a98e77d791
10da91cb97285df01fcb5a7d0400d1cd938152c69d043ae6b98b11aed3040774
9ada07181610ce5042cbea91ca0bb76b02f53026a892d3290814a0b82e0b4eef
9a36202b5534a0e81b3a2bcaf254576dd9452b36c7ecd607776ccd3df0a744a8

SH256 hash:

4ec2ecc6240cbf92372fbdd164e61302caba39402206aa5c70ae12efe2b645f1

MD5 hash:

4e0190cf12a9e2b6e2cce10f72e4e58c

SHA1 hash:

1281b767ebb931d7ff07a1379dcb4d61c267752d

Detections:

INDICATOR_EXE_Packed_VMProtect

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

Parent samples :

SH256 hash:

458f884abc78883f23373f2d5f6204b128b0f31bed2c16c74bd9ffd40d9d83af

MD5 hash:

cc26efce0350f2e71965d6e442f273a2

SHA1 hash:

a4c633477376561f39b52c4792a44b9f6a465c0d

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

SH256 hash:

44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0

MD5 hash:

9c8886759e736d3f27674e0fff63d40a

SHA1 hash:

ceff6a7b106c3262d9e8496d2ab319821b100541

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

SH256 hash:

4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

MD5 hash:

0ee914c6f0bb93996c75941e1ad629c6

SHA1 hash:

12e2cb05506ee3e82046c41510f39a258a5e5549

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

SH256 hash:

8bdd82fcf6d6038acf9f1647afd89d6cd4cda7a2f9e4e2fdfe788d1e583f28b8

MD5 hash:

cbff28c827ccc2eabd1c44e60380d4f8

SHA1 hash:

628afbbf8b648be15899c250dcfd6cacd811aade

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

SH256 hash:

b5bf8ac1406d5c70772531561b618d9e679389d935f4dbf43e0164ab325813bb

MD5 hash:

828a09b69b78450f0e85642392b161bd

SHA1 hash:

38ee7676a05eae8fc5921e9ec7b753c966f3c0fb

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

SH256 hash:

d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620

MD5 hash:

24155d792f151abc186710404a756ab2

SHA1 hash:

3712ce2bcb0fd6a8576c60f66176487addf54735

Link:

https://www.unpac.me/results/225d959a-9f82-438d-9190-610c7032fed7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_VMProtect Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with VMProtect.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

exe d5443366bd6b13e9c3a7942cb0ada907485dc50799e3eea8921110a908e20620

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2841141/

URLhaus

https://urlhaus.abuse.ch/url/2841815/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryA kernel32.dll::GetSystemInfo kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::DeleteFileA kernel32.dll::GetWindowsDirectoryA kernel32.dll::GetFileAttributesA kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2024-05-11 03:51:08 UTC

url : hxxp://gig.fastbutters.com/style/060.exe