MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6
SHA3-384 hash: 81fa192d848d27496b0bb6fffac6ba9791c5a79acdf0a51094650fceb2f6766177d4a94a4c417ea9ee28013b76c45121
SHA1 hash: 49f2594e949e49cb97bc14ccddae177d1a890661
MD5 hash: 65feff45a4140b9c22043e9227f7c978
humanhash: helium-timing-may-ten
File name:file
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:3'636'767 bytes
First seen:2024-09-28 13:14:30 UTC
Last seen:2024-09-28 14:22:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:Rq7zb/x3ohSLwqyZimcnxTGwvsqXLhUe9eDL:wx3ohxqgcxTPpUeyL
TLSH T165F5335CB5A72D07FC169438D0CA36F806FD6E2B76F62A6FCF045D58808C27C5252AB6
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:exe Socks5Systemz


Avatar
Bitsight
url: http://103.130.147.211/Files/Test.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
483
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-28 13:15:31 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/01af4713-0700-49e9-b754-f1acbe61393b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3065.25703.8914.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f8026779032805ce8ed822
Tags:
Discovery Encryption Execution Infostealer Network Stealth Trojan Exploit Emotet Trojan Tori
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Connection attempt
Sending an HTTP GET request
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
overlay vbnet
Link:
https://www.filescan.io/uploads/66f80157b240a2b637c8880c/reports/006839d7-4905-4cda-ac44-9ef4c868d35d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Bsymem
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e4194fa-c76d-448c-99f2-ff51d55ce2d5
Result
Threat name:
LummaC, Clipboard Hijacker, Cryptbot, Lu
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1521472
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops large PE files
Drops PE files to the document folder of the user
Found API chain indicative of debugger detection
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Neoreklami
Yara detected Socks5Systemz
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521472 Sample: file.exe Startdate: 28/09/2024 Architecture: WINDOWS Score: 100 150 marafon.in 2->150 152 ipinfo.io 2->152 154 2 other IPs or domains 2->154 174 Suricata IDS alerts for network traffic 2->174 176 Found malware configuration 2->176 178 Malicious sample detected (through community Yara rule) 2->178 180 23 other signatures 2->180 14 file.exe 1 3 2->14         started        17 svchost.exe 12 68 2->17         started        signatures3 process4 signatures5 214 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->214 216 Writes to foreign memory regions 14->216 218 Allocates memory in foreign processes 14->218 220 4 other signatures 14->220 19 wab.exe 29 14->19         started        23 powershell.exe 23 14->23         started        26 WerFault.exe 19 16 14->26         started        34 2 other processes 14->34 28 WerFault.exe 2 17->28         started        30 WerFault.exe 17->30         started        32 WerFault.exe 17->32         started        36 3 other processes 17->36 process6 dnsIp7 156 api64.ipify.org 173.231.16.77, 443, 49731 WEBNXUS United States 19->156 158 176.113.115.95, 49740, 80 SELECTELRU Russian Federation 19->158 160 8 other IPs or domains 19->160 122 C:\Users\...\qlrS5iOkunvTbQOuIgt4yvua.exe, PE32 19->122 dropped 124 C:\Users\...\k6guwH6I_1bqCtgd4Q1gwgtB.exe, PE32 19->124 dropped 126 C:\Users\...\jLqtehZ5Ag5x2We6gdI90uid.exe, PE32 19->126 dropped 130 11 other malicious files 19->130 dropped 38 jLqtehZ5Ag5x2We6gdI90uid.exe 19->38         started        41 BZQpUevSTE4H2yFlHHYbt7yF.exe 19->41         started        43 qlrS5iOkunvTbQOuIgt4yvua.exe 19->43         started        49 4 other processes 19->49 182 Loading BitLocker PowerShell Module 23->182 47 conhost.exe 23->47         started        128 C:\ProgramData\Microsoft\...\Report.wer, Unicode 26->128 dropped file8 signatures9 process10 dnsIp11 134 C:\Users\user\AppData\Local\...\Install.exe, PE32 38->134 dropped 51 Install.exe 38->51         started        136 C:\Users\...\BZQpUevSTE4H2yFlHHYbt7yF.tmp, PE32 41->136 dropped 54 BZQpUevSTE4H2yFlHHYbt7yF.tmp 41->54         started        168 185.244.181.140 BELCLOUDBG Russian Federation 43->168 138 C:\Users\user\AppData\...\service123.exe, PE32 43->138 dropped 140 C:\Users\user\...\njPjHKsVxynqiGjnGpHt.dll, PE32 43->140 dropped 194 Suspicious powershell command line found 43->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 43->196 198 Tries to harvest and steal browser information (history, passwords, etc) 43->198 200 Drops large PE files 43->200 142 C:\Users\user\AppData\Local\...\Y-Cleaner.exe, PE32 49->142 dropped 144 C:\Users\user\...\Bunifu_UI_v1.5.3.dll, PE32 49->144 dropped 146 C:\Users\user\AppData\Local\...\dll[1], PE32 49->146 dropped 148 C:\Users\user\AppData\Local\...\soft[1], PE32 49->148 dropped 202 Multi AV Scanner detection for dropped file 49->202 204 Detected unpacking (changes PE section rights) 49->204 206 Detected unpacking (overwrites its own PE header) 49->206 208 4 other signatures 49->208 56 WerFault.exe 49->56         started        58 WerFault.exe 49->58         started        60 WerFault.exe 49->60         started        62 2 other processes 49->62 file12 signatures13 process14 file15 112 C:\Users\user\AppData\Local\...\Install.exe, PE32 51->112 dropped 64 Install.exe 51->64         started        114 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 54->114 dropped 116 C:\Users\user\AppData\...\unins000.exe (copy), PE32 54->116 dropped 118 C:\Users\user\AppData\Local\...\is-JOU42.tmp, PE32 54->118 dropped 120 15 other files (7 malicious) 54->120 dropped 67 playglock32.exe 54->67         started        process16 dnsIp17 170 Multi AV Scanner detection for dropped file 64->170 172 Modifies Windows Defender protection settings 64->172 71 cmd.exe 64->71         started        74 forfiles.exe 64->74         started        162 185.208.158.248 SIMPLECARRER2IT Switzerland 67->162 164 91.211.247.248 VPSNET-ASLT Lithuania 67->164 166 195.154.173.35 OnlineSASFR France 67->166 132 C:\...drax Smart Maker 9.28.47.exe, PE32 67->132 dropped file18 signatures19 process20 signatures21 184 Suspicious powershell command line found 71->184 186 Uses cmd line tools excessively to alter registry or file data 71->186 188 Modifies Windows Defender protection settings 71->188 76 forfiles.exe 71->76         started        79 forfiles.exe 71->79         started        81 forfiles.exe 71->81         started        87 3 other processes 71->87 83 cmd.exe 74->83         started        85 conhost.exe 74->85         started        process22 signatures23 210 Modifies Windows Defender protection settings 76->210 89 cmd.exe 76->89         started        92 cmd.exe 79->92         started        94 cmd.exe 81->94         started        212 Suspicious powershell command line found 83->212 96 powershell.exe 83->96         started        98 cmd.exe 87->98         started        100 cmd.exe 87->100         started        process24 signatures25 190 Uses cmd line tools excessively to alter registry or file data 89->190 102 reg.exe 89->102         started        104 reg.exe 92->104         started        106 reg.exe 94->106         started        108 reg.exe 98->108         started        192 Suspicious powershell command line found 100->192 110 powershell.exe 100->110         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-28 13:15:13 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4uqgprofqqrvt5ylcglp2dwrxhqrtluowekar4var4cipxbnegta._file
Verdict:
malicious
Label(s):
cryptbot
Create hunting rule
gcleaner
Create hunting rule
risepro
Create hunting rule
shellcode_loader_002
Create hunting rule
socks5systemz
Create hunting rule
smokeloader
Create hunting rule
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution trojan
Link:
https://tria.ge/reports/240928-qg8dnazfra/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Looks up external IP address via web service
Checks computer location settings
Uses the VBS compiler for execution
Windows security modification
Command and Scripting Interpreter: PowerShell
UAC bypass
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/55229a0f-bb79-495b-85d9-a5f009ce67d6
Unpacked files
SH256 hash:
e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6
MD5 hash:
65feff45a4140b9c22043e9227f7c978
SHA1 hash:
49f2594e949e49cb97bc14ccddae177d1a890661
Link:
https://www.unpac.me/results/7ce8d3d9-c61c-469e-8861-a438199239d2/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e52067c5c584/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Socks5 Systemz
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe e52067c5c5842359f70b1196fd0ed1b9e119ae8eb11408f2a08f0487dc2d21a6

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3195694/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments