MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Socks5Systemz

Vendor detections: 17

Intelligence 17 IOCs 1 YARA 6 File information Comments

SHA256 hash:	e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114
SHA3-384 hash:	402f00cf421d07efb154d69ecc2b92ec37e1401e9f55db4c9aa4e067607db4b717257c9be556eb2c0777a0f9917626bf
SHA1 hash:	0dbe799680837608e04c48b722e66ad00a447ad1
MD5 hash:	32780be68011901e126753d4f213a3c0
humanhash:	item-stairway-carbon-avocado
File name:	32780be68011901e126753d4f213a3c0.exe
Download:	download sample
Signature	Socks5Systemz Create hunting rule
File size:	255'488 bytes
First seen:	2024-10-19 20:30:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	018b0e81b9a0aaaf5992f115baa1acb0 (1 x Smoke Loader, 1 x Socks5Systemz)
ssdeep	3072:o8LCNar8Hab17xdumIVDQDFmJ+RAU5JXVYz3M5PTsxZ2HVWaej:o8LCUgHmhIVU4JknFYc5PkYW
TLSH	T1D344D5B26EE0A815EEA607769F2DD6DC6B2FBC625F30525E3144BE0F19733A1C512312
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
File icon (PE):
dhash icon	12716d4cf4c4d4c4 (3 x Smoke Loader, 1 x Tofsee, 1 x Stealc)
Reporter	abuse_ch
Tags:	exe SmokeLoader Socks5Systemz

abuse_ch

Socks5Systemz C2:
http://45.88.76.205/30f6901d21ae0dd7.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://45.88.76.205/30f6901d21ae0dd7.php	https://threatfox.abuse.ch/ioc/1338225/

Intelligence

File Origin

# of uploads :

# of downloads :

525

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

32780be68011901e126753d4f213a3c0.exe

Verdict:

Malicious activity

Analysis date:

2024-10-19 20:37:57 UTC

Tags:

loader smokeloader

Link:

https://app.any.run/tasks/0269404b-888f-4d75-887b-5bbeb60a31d0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Virus.Botx-10036331-0

Win.Packed.Generic-10036332-0

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6714171b34f884d15c8d388a

Tags:

Smokeloader Phishing Hype Onli

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint microsoft_visual_cc packed packed packer_detected smokeloader virus

Link:

https://www.filescan.io/uploads/67141711cb929da7ec4dbe17/reports/5e7c4f63-32a3-4c83-b112-701963ee443c/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/bbbca5b3-20bf-462c-b64b-c38b6509a398

Result

Threat name:

SmokeLoader

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1537870

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Detected unpacking (changes PE section rights)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Yara detected SmokeLoader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114/

Threat name:

Win32.Trojan.SmokeLoader

Status:

Malicious

First seen:

2024-10-17 14:32:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4wv3gnyxq754svtym6qtatgbqysbgraxjaholwgr4ty5inumweka._file

Verdict:

malicious

Label(s):

smokeloader

shellcode_loader_002

Similar samples:

error

Socks5Systemz

Result

Malware family:

smokeloader

Score:

10/10

Tags:

family:smokeloader botnet:pub4 backdoor discovery trojan

Link:

https://tria.ge/reports/241019-zaqppsxcrc/

Behaviour

Checks SCSI registry key(s)

Program crash

System Location Discovery: System Language Discovery

SmokeLoader

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/036e8749-e718-446f-a074-b36f46696a5c

Unpacked files

SH256 hash:

c711207b26819dbe7555a81f11bf5b39c2a310303d28d5232436c286c637d66e

MD5 hash:

26a7b7c2db7331200f095d62ebb17a2c

SHA1 hash:

14b2819d3d682761fc993eb7b148104a32f9e455

Detections:

SmokeLoaderStage2

win_smokeloader_a2

Link:

https://www.unpac.me/results/3cc0e6fa-5a20-40e5-9251-498361802c49/

Parent samples :

a76320bf90703f6591b6ec9a66522652c04ea3d87ed57f906cf0f8db209cb4c3
9141576518bee49ee565f2a71eab03c5b3097c97d025063c90da05656b3f46d9
f018d1a30bc424bfc07ffdf8561dbab03c631550dc152ded17ba2c5def8b23f6
6e41bbf45206030f9a1277d06f28e467d8877ad2b0ea24d1b6179b4d4438346f
338ccdb8d1e330e26c491a0a4c9ca8e7a44d3208b56214dd07c3ae2dda0214c2
50f86ebddd156619b173883981364d8955365d76d2c3ae9391ec911e65551be9
e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114

SH256 hash:

e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114

MD5 hash:

32780be68011901e126753d4f213a3c0

SHA1 hash:

0dbe799680837608e04c48b722e66ad00a447ad1

Link:

https://www.unpac.me/results/3cc0e6fa-5a20-40e5-9251-498361802c49/

Malware family:

SmokeLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e5abb3371787/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e5abb3371787fbc9567867a1304cc18624134417480ee5d8d1e4f1d4368cb114

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ObjectPrivilegeAuditAlarmA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetVolumeInformationW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::FillConsoleOutputCharacterA KERNEL32.dll::WriteConsoleA KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleOutputA KERNEL32.dll::SetConsoleMode KERNEL32.dll::SetConsoleTitleA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileExA KERNEL32.dll::CreateFileA KERNEL32.dll::MoveFileA KERNEL32.dll::GetFileAttributesW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW KERNEL32.dll::QueryDosDeviceA
WIN_TIME_API	Can Modify Time	KERNEL32.dll::SetSystemTimeAdjustment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample