MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593
SHA3-384 hash: 6710a531d0670a437b16d4bfc6876f346365ed7f6242bcd6997332bb9841381d0e346e3c81e8e48b5d8e2f41bfec5554
SHA1 hash: 38699f88968cadb3983618cd5bbbb3b88f213780
MD5 hash: fc9a26093014b085bdf84a890a20bc53
humanhash: sodium-july-arizona-august
File name:fc9a26093014b085bdf84a890a20bc53
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'424'365 bytes
First seen:2023-12-15 15:59:20 UTC
Last seen:2023-12-15 17:21:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:P3/amXSUacP+VeOS25WuHVGn25NVWNM/oKnv3gGkzXdAFpmHnKxsio5B3zud0:/PSciHEuNVr3oj2FmKBo33zj
Threatray 7'424 similar samples on MalwareBazaar
TLSH T131763381F18DEA31C22807F85C91D87C693AEDA8AA3D481A3DD5CFDE63349856F4934D
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 6060d8c8ead8b0b4 (29 x Socks5Systemz)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/467579/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.25639.25661.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657c7804a6bc59352f29d0cd/reports/91e4eec9-5fae-437c-9ad3-01b7f59ab523/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/d5e383fb-3f7c-48ab-8adc-77be16136ed6
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1362759
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1362759 Sample: IBhFmtwNlH.exe Startdate: 15/12/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 9 other signatures 2->51 8 IBhFmtwNlH.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\...\IBhFmtwNlH.tmp, PE32 8->33 dropped 11 IBhFmtwNlH.tmp 17 76 8->11         started        process5 file6 35 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->35 dropped 37 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->39 dropped 41 106 other files (83 malicious) 11->41 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 11->53 15 CPhone.exe 1 15 11->15         started        18 CPhone.exe 1 2 11->18         started        21 net.exe 1 11->21         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 bgcgbbt.com 185.196.8.22, 49713, 49714, 49715 SIMPLECARRER2IT Switzerland 15->43 31 C:\ProgramData\M73Bitrate\M73Bitrate.exe, PE32 18->31 dropped 25 conhost.exe 21->25         started        27 net1.exe 1 21->27         started        29 conhost.exe 23->29         started        file10 process11
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-15 16:00:08 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4elcayaf6izl6dcyqyd7nbwlapws5l73oy5lq25frtnza462kwjq._file
Verdict:
suspicious
Similar samples:
233b5e1dbe1fe4646e59dbc0ae9c01163dcf605c479ad0fc3647f43a7942a874
Socks5Systemz
2bc3e4ce86eb3ea1132751a8d7dfd6014826456bc4386b1204d1890eec924a76
Socks5Systemz
2f215a325088575bc1002bca75baf8629715ff71d296e60377f4700f8d83d268
Socks5Systemz
428d114b1dc4b27834417e605c62ff20b4abc4782717586ecf9a7e95f5f18b95
Socks5Systemz
6a2f19d0709fd3ca608de2aa17da02dc88c41b6c1717062cc16ead0e4de8ddc7
Socks5Systemz
94cf49bb2f08ab8dfa76f0199903d42922821fa584cf721afa544f552798a039
Socks5Systemz
af2deeda0aa90cc9dffa5753a6d3221d0d9ca68349a3c59543a19f916485c823
Socks5Systemz
e806c565a582ce9bd80f63133561cfdc726f40ce14e4736ca6ff0e27492fd9b2
Socks5Systemz
ee64643f2b172f59667db8bcb9852997fd8a640e021353d80e5fa513ee1f50e8
Socks5Systemz
f7ded3ace79dfa17068938bf8fd458338f9573960ab75739b3993ca1699783bc
Socks5Systemz
+ 7'414 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231215-tfm8wagbd6/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
3fc7c3967fa834dc445e10527b001fffc136410c0ba87dae7d279bce96b68111
MD5 hash:
6b6ef37bee7f0d54ac5e5c237ed6a000
SHA1 hash:
f5704a8b6c4683f528dca414a3dc91470c740d61
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/ce437188-94fc-45cd-9cef-30e8869a8dae/
Parent samples :
7a2a631d1671c8ecf1ececd2498b4471fd0576c432ec9c3e13013b3d77b98509
e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593
436230c88516fcf3f335143e38b246672fd6a856dab3e25201bd3c37045e2e3d
675a665b49fcbd65dd4c5ff2e2f18e505b250470ea2f82bba176dfe8ca751bb5
SH256 hash:
c9278f17730a4078d3b28e349d31dbdab961d8b61aab7b710f088d0f03a033c8
MD5 hash:
dcd2f5ab1e14cdd37fa4de9cac79f521
SHA1 hash:
c87577e55433a5f51080374337467a66283f0c68
Link:
https://www.unpac.me/results/ce437188-94fc-45cd-9cef-30e8869a8dae/
SH256 hash:
38e8c85d8a6ce391d4a5a7626e5522c7fbacc91ef6ad0807db7b9568d2c44a4c
MD5 hash:
471f16afbf74dcb96cb05d605ee43be8
SHA1 hash:
2feeaa67ecc4ff9d28e7dcaad5973bb8bed49a93
Link:
https://www.unpac.me/results/ce437188-94fc-45cd-9cef-30e8869a8dae/
SH256 hash:
c724c767c98742b9fa1cecb249b3adfb154e8cd3a8c24a8dcc09d5fab131dba4
MD5 hash:
bb104b85dbce15cb7548266d4e877505
SHA1 hash:
25e6d3dd307518d1c1e51f7be994230c8a22bb09
Link:
https://www.unpac.me/results/ce437188-94fc-45cd-9cef-30e8869a8dae/
SH256 hash:
e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593
MD5 hash:
fc9a26093014b085bdf84a890a20bc53
SHA1 hash:
38699f88968cadb3983618cd5bbbb3b88f213780
Link:
https://www.unpac.me/results/ce437188-94fc-45cd-9cef-30e8869a8dae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe e116206005f232bf0c588607f686cb03ed2eaffb763ab86ba58cdb9073da5593

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/467579/

Comments


Avatar
zbet commented on 2023-12-15 15:59:21 UTC

url : hxxps://hitsturbo.com/order/tuc3.exe