MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53
SHA3-384 hash: a880a8c0f8ce21baae993ba6b4f4a0289504c42c70a41303526bf10de7f85e400cbbcd945792272fde32387517f65a56
SHA1 hash: c0cd027aee3f2b29b63751e0d342e9866b15e313
MD5 hash: 930b29d33de964a9f6a86a24ded5c39b
humanhash: hydrogen-aspen-comet-jersey
File name:SecuriteInfo.com.Trojan-Dropper.Win32.Agent.28678.2092
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'791'929 bytes
First seen:2023-12-31 13:22:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'510 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:QQrrkhkp+Jv6fxjQFoegdQunt4RQSbi5Y4dm8:xHkqQJv6fypc4RQBm4dD
Threatray 101 similar samples on MalwareBazaar
TLSH T1E9263397D0B3A6F2D0B8497625778120795D8D960EA25703A20FB8E7B1E30F0479BF9D
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
phorpiex
Create hunting rule
ID:
1
File name:
4363463463464363463463463.exe
Verdict:
Malicious activity
Analysis date:
2023-12-31 10:58:41 UTC
Tags:
hausbomber loader opendir autoit evasion phorpiex trojan redline parallax remote stealer kelihos stealc dupzom arechclient2 backdoor agenttesla amadey lumma dcrat socks5systemz proxy servstart
Link:
https://app.any.run/tasks/2758b046-f921-41d1-9ddb-6554ec222849

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan-Dropper.Win32.Agent.28678.2092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Modifying a system file
Creating a file
Creating a service
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/65916b366b1c246046124976/reports/db911d53-9633-4607-99f4-b8852c58cab3/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Argotronic GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c8e5f2e9-b057-49e3-8a04-e9b96c04ae8f
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368387
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
17%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-31 13:23:13 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
11 of 22 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3c3oiih5by5qeyl4bcgkesplsxi32pa6jno35tlwx5ql3mfsfrjq._file
Verdict:
malicious
Similar samples:
10f9cc26e26e53771700e9b3e241bb303b4d07d0337dc72bbc0d8b3646af39b0
Socks5Systemz
5dad68a8228450333b6202358c2fc50fe5ec7527c51e391c13354ab7ce27e667
Socks5Systemz
67926c17aede849c4eaaf09eb88631c6dea6f9303a275ef3ad8d1c59f7b0f322
Socks5Systemz
811341ecc410990e471254f7fb3cb7ee35ee2e973d27962348625812533e35eb
Socks5Systemz
83eaf65e818f6596f8f3877812110afbc87719322590f589c1d459e057e469c8
Socks5Systemz
84267ef2e22d063f17aafa767f4f98f45de256ce765fee5d0fc4d5dd7f01ea58
Socks5Systemz
9c6485edb10d0150212a8fe11b97a472f86e881acc8249c7a686f14f3aa82b36
Socks5Systemz
cd7f3e7bc9f55c0018b0db329c5fdaf13e2e295cf10eee13c8b580f47e871e1c
Socks5Systemz
f89be0ae5fef2d65bb44231da30bbcb64e0b2e01d46bfa29fc8c42a409e13876
Socks5Systemz
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231231-qmskdsdbe3/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
096b6a95a46ac2eebec267c0b6565d789d9a590e08e16d11fbd1365cdfbcdda1
MD5 hash:
e464ffd7fafb13de154bd0905d274c4a
SHA1 hash:
5e8b12626afbf438633e04877365878e28cc3f96
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
SH256 hash:
2bfe410b19c836083c8b8f5cf184e47761d661694879d00e159e58a8c5f3e8c8
MD5 hash:
3bdb6834d3031a6c402c6a6967a19206
SHA1 hash:
1feef2d6e22e9e1cfd37f2f4184b6c074e0add14
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
SH256 hash:
3c5a5dfe48fd52d00a41a58cf6c5a564cd94f9cef858b9b9aa15681767cc2d4c
MD5 hash:
819926ad1b4d8bcdde32b4f9e0402a45
SHA1 hash:
dca7b2041522c1e9673d9cdc7567fe11b1639953
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
SH256 hash:
fd61bbb9410cd1db0ff509364d5d9c6edb9b803193a1b2bab733e3d16942667b
MD5 hash:
6685353823fbeb44c770918faa97b331
SHA1 hash:
dc3ab0496f3f4c654358124d70ef81b36a4f23d4
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
SH256 hash:
c059b4635f147160959d431f6e846ecabe7be9e9a379b21659cd2cd3ce4adc5b
MD5 hash:
5a12aa6f3dd00658e2c7aacb1323ae70
SHA1 hash:
10abb0f9160e5c157d506506fbeab8a30e8167db
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
SH256 hash:
d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53
MD5 hash:
930b29d33de964a9f6a86a24ded5c39b
SHA1 hash:
c0cd027aee3f2b29b63751e0d342e9866b15e313
Link:
https://www.unpac.me/results/ab1845e8-a67e-435a-906c-20f7d5b9f80c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:MoleBoxv20
Create hunting rule
Author:malware-lu
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe d8b6e420fd0e3b02617c088ca249eb95d1bd3c1e4b5dbecd76bf60bdb0b22c53

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2745326/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745372/
  
URLhaus
https://urlhaus.abuse.ch/url/2745336/
  
URLhaus
https://urlhaus.abuse.ch/url/2743106/
  
URLhaus
https://urlhaus.abuse.ch/url/2745349/
  
URLhaus
https://urlhaus.abuse.ch/url/2741224/
  
URLhaus
https://urlhaus.abuse.ch/url/2741238/
  
URLhaus
https://urlhaus.abuse.ch/url/2745341/
  
URLhaus
https://urlhaus.abuse.ch/url/2745353/
  
URLhaus
https://urlhaus.abuse.ch/url/2741213/
  
URLhaus
https://urlhaus.abuse.ch/url/2741241/
  
URLhaus
https://urlhaus.abuse.ch/url/2741237/
  
URLhaus
https://urlhaus.abuse.ch/url/2741212/
  
URLhaus
https://urlhaus.abuse.ch/url/2745366/
  
URLhaus
https://urlhaus.abuse.ch/url/2745361/
  
URLhaus
https://urlhaus.abuse.ch/url/2741231/
  
URLhaus
https://urlhaus.abuse.ch/url/2741222/

Comments