MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd
SHA3-384 hash: b1589bef7eb40164114143c148af489a4021a78b4c0086a60f5cf5a03dd557b558c881dcfd837e6de092d71a816124ed
SHA1 hash: 8732dfe486f5a7daa4aedda48a3eb134bc2f35c0
MD5 hash: ce869420036665a228c86599361f0423
humanhash: steak-yankee-timing-october
File name:12321321.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:356'894 bytes
First seen:2025-03-07 16:17:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 802d02f4448b6e25480dd2c62dd4c5a4 (2 x Socks5Systemz)
ssdeep 6144:IPz8VYvGAYCJSDKsI2lbTZ4P+DGGilC+QooPCp1InDCCZx5Wt/ixduuZ8BEby209:YcYvu5WiBOPAil1Qok+G5W8xcuZYUQw
TLSH T16374CF1BB7D02B76D438D072CBD787297732AA52D2368B5B19C15E0F617A0162B4BF38
TrID 45.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.2% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
0.2% (.VXD) VXD Driver (29/21)
Magika pebin
File icon (PE):PE icon
dhash icon e4f0e8c8dcdcfc70 (2 x Socks5Systemz)
Reporter aachum
Tags:exe Socks5Systemz


Avatar
iamaachum
https://github.com/legendary99999/saffsfsd/releases/download/dsffdssff/12321321.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67cb1cd7c668b65489bfdca2
Tags:
autorun dropper trojan virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Creating a service
Creating a window
Sending an HTTP GET request to an infection source
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
DNS request
Creating a file in the %temp% subdirectories
Connection attempt to an infection source
Launching a file downloaded from the Internet
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug overlay packed packed packer_detected upx
Link:
https://www.filescan.io/uploads/67cb1c4ce95d0f9029e5bdc5/reports/b77f23a3-a99b-4f3b-ab1b-17a09e1a454e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/be05fd7f-b6b3-4ce0-9b03-584042156c63
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631991
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Sample is not signed and drops a device driver
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1631991 Sample: 12321321.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 86 Antivirus detection for URL or domain 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 11 other signatures 2->92 9 12321321.exe 17 2->9         started        process3 dnsIp4 70 91.240.118.49, 443, 49697 GLOBALLAYERNL unknown 9->70 72 104.168.28.10, 49696, 49700, 49703 AS-COLOCROSSINGUS United States 9->72 52 c9f74e53-58d1-13d2-8abb-0195719b8be2.exe, PE32+ 9->52 dropped 54 1609a74d-2a2b-4f95-9570-07a864ac654e.exe, PE32 9->54 dropped 56 C:\Users\user\AppData\Local\...\silk[1].exe, PE32 9->56 dropped 58 C:\Users\user\AppData\Local\...\001[1].exe, PE32+ 9->58 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->100 14 1609a74d-2a2b-4f95-9570-07a864ac654e.exe 2 9->14         started        17 c9f74e53-58d1-13d2-8abb-0195719b8be2.exe 1 9->17         started        file5 signatures6 process7 file8 64 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp, PE32 14->64 dropped 20 1609a74d-2a2b-4f95-9570-07a864ac654e.tmp 18 26 14->20         started        66 C:\Users\user\AppData\...\d.ghSlh.exe (copy), PE32+ 17->66 dropped 78 Antivirus detection for dropped file 17->78 80 Multi AV Scanner detection for dropped file 17->80 82 Writes to foreign memory regions 17->82 84 3 other signatures 17->84 23 vbc.exe 7 6 17->23         started        signatures9 process10 dnsIp11 42 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 20->42 dropped 44 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->44 dropped 46 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 20->46 dropped 50 21 other malicious files 20->50 dropped 27 photorecoverylib.exe 20->27         started        68 127.0.0.1 unknown unknown 23->68 48 C:\Windows\Temp\Hmas5kDc_8664.sys, PE32+ 23->48 dropped 94 Adds a directory exclusion to Windows Defender 23->94 96 Sample is not signed and drops a device driver 23->96 31 powershell.exe 23 23->31         started        34 powershell.exe 23 23->34         started        file12 signatures13 process14 dnsIp15 74 176.113.115.96, 443, 49728, 49730 SELECTELRU Russian Federation 27->74 76 193.176.153.180, 2024, 49729, 49732 AGROSVITUA unknown 27->76 60 C:\ProgramData\PhotoRecoveryLib\sqlite3.dll, PE32 27->60 dropped 62 C:\ProgramData\...\PhotoRecoveryLib.exe, PE32 27->62 dropped 102 Loading BitLocker PowerShell Module 31->102 36 conhost.exe 31->36         started        38 WmiPrvSE.exe 31->38         started        40 conhost.exe 34->40         started        file16 signatures17 process18
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-16 15:25:13 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5mcpo7vu7ew5fndnaraiczvdeuc6kalegxgnqrdw6ihoxjkc3l6q._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250307-ts9bwatlz6/
Behaviour
Suspicious use of WriteProcessMemory
Verdict:
Malicious
Tags:
Win.Malware.Zard-10034042-0 maldocgeneric maldoc
YARA:
n/a
Link:
https://app.threat.zone/submission/85846094-ed84-4678-ac20-3591fc0199eb
Unpacked files
SH256 hash:
eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd
MD5 hash:
ce869420036665a228c86599361f0423
SHA1 hash:
8732dfe486f5a7daa4aedda48a3eb134bc2f35c0
Link:
https://www.unpac.me/results/8f00d90d-a2cc-4bf9-a779-0d7dcbe74e7a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb04f77eb4f9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe eb04f77eb4f92dd2b46d04408166a32505e5016435ccd84476f20eeba542dafd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3470617/

Comments