MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
SHA3-384 hash: 3f1e2f701e86b0860e0a402b906b17a188462b7b03332a090f9fcbebc9d3f4994e46fc78e507bd4b9f3770a6433180ce
SHA1 hash: c2a42211c8970e1f10cc13261d5e133739c196f4
MD5 hash: 5237853dbebaefb1dfa86130dd1d39fa
humanhash: solar-william-high-jersey
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:438'784 bytes
First seen:2024-11-20 04:01:01 UTC
Last seen:2024-11-21 04:00:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db15b2e5808ca5f767d44b63a5e7dde0 (1 x Socks5Systemz)
ssdeep 6144:bIkLslp6440MCP5FQn40gxeppjMo7LR68z1T:bIkIlp6445M3Q40goppL7LRNh
TLSH T15A94C0139691BCA0E96647329D2EC6E4762EB9214E193F7B33786F2F14701B2D273319
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 3058b8707a7878b0 (1 x Socks5Systemz)
Reporter Bitsight
Tags:exe Socks5Systemz


Avatar
Bitsight
url: http://31.41.244.11/files/mixeleven.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
No threats detected
Analysis date:
2024-11-20 04:04:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45a53fcc-d353-44bb-9f00-146133c7afa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673d5feb7b9ab5fcc4dba29b
Tags:
cobalt small hype sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Connection attempt
Sending an HTTP GET request
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm fingerprint microsoft_visual_cc
Link:
https://www.filescan.io/uploads/673d5f02ef05ce04988cc115/reports/3dde5e23-1655-42b9-b506-c4c1624feb7b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13ac684a-2932-49e1-a219-398de4e5007d
Result
Threat name:
Nymaim, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1559044
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Nymaim
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559044 Sample: file.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 15 other signatures 2->70 10 file.exe 2->10         started        process3 signatures4 74 Contains functionality to inject code into remote processes 10->74 76 Injects a PE file into a foreign processes 10->76 13 file.exe 22 10->13         started        process5 dnsIp6 62 185.156.72.65, 49730, 49731, 80 ITDELUXE-ASRU Russian Federation 13->62 50 C:\Users\user\AppData\...\ebAAb6KfuCx7.exe, PE32 13->50 dropped 52 C:\Users\user\AppData\...52qISs1vOr.exe, PE32 13->52 dropped 54 C:\Users\user\AppData\Local\...\ONE[1].file, PE32 13->54 dropped 56 C:\Users\user\AppData\Local\...\PAB1[1].file, PE32 13->56 dropped 17 NqISs1vOr.exe 2 13->17         started        20 ebAAb6KfuCx7.exe 1 13->20         started        file7 process8 file9 36 C:\Users\user\AppData\Local\...36qISs1vOr.tmp, PE32 17->36 dropped 23 NqISs1vOr.tmp 18 18 17->23         started        72 Multi AV Scanner detection for dropped file 20->72 signatures10 process11 file12 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 23->38 dropped 40 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 23->40 dropped 42 C:\Users\user\AppData\...\unins000.exe (copy), PE32 23->42 dropped 44 17 other files (10 malicious) 23->44 dropped 26 altergame32.exe 1 20 23->26         started        30 net.exe 1 23->30         started        process13 dnsIp14 58 boietuj.com 185.208.158.202, 49858, 49885, 49892 SIMPLECARRER2IT Switzerland 26->58 60 89.105.201.183, 2023, 49864, 49891 NOVOSERVE-ASNL Netherlands 26->60 46 C:\ProgramDataShineEncoder\sqlite3.dll, PE32 26->46 dropped 48 C:\ProgramData\...ShineEncoder.exe, PE32 26->48 dropped 32 conhost.exe 30->32         started        34 net1.exe 1 30->34         started        file15 process16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 01:14:25 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4gc6ipydt55jozznwsself5l23jl6soarv54ncjrriey5sbgxmaa._file
Verdict:
malicious
Label(s):
gcleaner
Create hunting rule
Similar samples:
error
Socks5Systemz
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/241120-ek72hszflg/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
Win.Packer.pkr_ce1a-9980177-0
YARA:
n/a
Link:
https://app.threat.zone/submission/eb279742-4759-41aa-b987-d444f214ec78
Unpacked files
SH256 hash:
a3eefdfc11dfe079f42ce5a79ed3037bef1cbbcf40b85eeaf59c77bcccd42bcc
MD5 hash:
2cb09a537d5179a588b7aa525407f83d
SHA1 hash:
4dadfafb9f8d1aff848531ad26d40bdd92cdbc81
Link:
https://www.unpac.me/results/2524b672-2843-45c1-bfec-bdf825082e20/
SH256 hash:
e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00
MD5 hash:
5237853dbebaefb1dfa86130dd1d39fa
SHA1 hash:
c2a42211c8970e1f10cc13261d5e133739c196f4
Link:
https://www.unpac.me/results/2524b672-2843-45c1-bfec-bdf825082e20/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe e185e43f039f7a97672db4a44597abd6d2bf49c08d7bc689318a098ec826bb00

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3296071/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindNextVolumeMountPointA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleInputA
KERNEL32.dll::SetConsoleCP
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetFileAttributesA
KERNEL32.dll::GetTempFileNameW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameA

Comments