MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d
SHA3-384 hash: 32cce1a5348f6c68b3db9852d8d17504239b404c0215332b12ef2fcfb1de23642e4612c6fcaf7a893310f14273079de6
SHA1 hash: 3145ffe785659102c1a100304c7b5e06944e76e5
MD5 hash: 53705ea8e751683bbf79647dd176fe08
humanhash: october-oscar-uncle-tennessee
File name:53705ea8e751683bbf79647dd176fe08
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'259'768 bytes
First seen:2024-05-10 14:20:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'458 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:Cb2eG+a9GUuIY0SiCbpH2oU+9qu18wzxTYCUxXL2gQxI:V+a9GUJfwVrN1ib2gQe
Threatray 385 similar samples on MalwareBazaar
TLSH T15B163317B66460BDF5B2CEF05DAF9B438FE317192C7E40266E4A9B7BCD128314A88351
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe Socks5Systemz

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d.exe
Verdict:
Malicious activity
Analysis date:
2024-05-10 14:22:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76d73268-0db9-4f07-8f09-f9171c544733

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed risepro shell32
Link:
https://www.filescan.io/uploads/663e2d55a82a5106c5fb6877/reports/f46adc3f-3295-4bfc-82b4-f13aa5195102/overview
Verdict:
Malicious
Labled as:
Dropper.ET.gen
Link:
https://www.hybrid-analysis.com/sample/ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/791bcb76-7861-4060-a649-a51eeac4989f
Result
Threat name:
PrivateLoader, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1439675
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Yara detected PrivateLoader
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439675 Sample: Y2GoExxI1P.exe Startdate: 10/05/2024 Architecture: WINDOWS Score: 100 43 time.windows.com 2->43 49 Snort IDS alert for network traffic 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 8 Y2GoExxI1P.exe 2 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 1 2->14         started        16 6 other processes 2->16 signatures3 process4 file5 39 C:\Users\user\AppData\...\Y2GoExxI1P.tmp, PE32 8->39 dropped 18 Y2GoExxI1P.tmp 15 18 8->18         started        57 Changes security center settings (notifications, updates, antivirus, firewall) 11->57 21 MpCmdRun.exe 2 11->21         started        59 Query firmware table information (likely to detect VMs) 14->59 signatures6 process7 file8 31 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->31 dropped 33 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->33 dropped 35 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 18->35 dropped 37 12 other files (11 malicious) 18->37 dropped 23 sunvox.exe 1 17 18->23         started        26 sunvox.exe 1 2 18->26         started        29 conhost.exe 21->29         started        process9 dnsIp10 45 aievyoo.ru 87.121.105.244, 49707, 49712, 49713 NET1-ASBG Bulgaria 23->45 47 194.59.31.219, 2023, 49708, 49711 COMBAHTONcombahtonGmbHDE Germany 23->47 41 C:\...\MediaDevicePicker 3.0.194.68.exe, PE32 26->41 dropped file11
Score:
29%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5twcif36b6ph3mkilikkcwiu6mt2qy5xwdwcbqvzktd3pma3qbwq._file
Verdict:
malicious
Similar samples:
1655119040883feb256b1645581f9d7884a7c8e157d15fd7ccbc923d7e8a7778
Socks5Systemz
2eda060aecf449871d3727f48dc3decbbc51574cfabf11dda96858c11b47a28d
Socks5Systemz
3d6e7d86793a6812d02f9d32f59d44aa7a021568615ab25e8e3e5a6aa8b7545f
Socks5Systemz
5521905702d9ef70717ea0152021e8055f49deef14f3b855468a6449007e552f
Socks5Systemz
6d57b846d065ebc93870f6a751b23f6ea1587c209187a542e0e0bb93beb3c77e
Socks5Systemz
9c0151a17e929d6de857367cb47fcd146713b5a73a54a7469a8d3ca5cc7bf3d2
Socks5Systemz
a6f1f5bd70df52b1c12b29d133d94a892b4b654aeb57c25b958e0eec2a698626
Socks5Systemz
b409d205ae446b7ff2507e7ff4b5b4c9b63d76df8cbcda30407ee4d3d2bc7ff7
Socks5Systemz
d69639d8748700e69c1b27f3a78d28ae093da8631a80691e2d91615a57c5e3f9
Socks5Systemz
dddf2b2a8c33711b013388be3e01b132738e15919b2396ad632592047eb677a5
Socks5Systemz
+ 375 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240510-rnzkrsad7z/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://boyuwde.com/search/?q=67e28dd86c0ca72e110aab177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978f671ea771795af8e05c64bdb22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a628dfa11c9ec95
http://boyuwde.com/search/?q=67e28dd86c0ca72e110aab177c27d78406abdd88be4b12eab517aa5c96bd86eb978f45805a8bbc896c58e713bc90c91d36b5281fc235a925ed3e55d6bd974a95129070b618e96cc92be20ea778c255bbe258b90d3b4eed3233d1626a8ff810c5ec909a32ce6f
http://bhraxkb.com/search/?q=67e28dd86d0ca420440ef91f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f671ea771795af8e05c64bdb22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa12c5ef9c9832
http://bhraxkb.com/search/?q=67e28dd86d0ca420440ef91f7c27d78406abdd88be4b12eab517aa5c96bd86ec97824f885a8bbc896c58e713bc90c91c36b5281fc235a925ed3e55d6bd974a95129070b618e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee90993ecd66941f
Unpacked files
SH256 hash:
590beff18e862e27b2fb92dd65170297c6e6646c960cf6e742dcb8a0fa8c7988
MD5 hash:
e2996dff751f9eb7ed4bd1c4d86b33d6
SHA1 hash:
ed3a1dd17478d510619dcbe01cc138cdd02e3103
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
d100555d90341ee8a794fd1b2ff44b18bf66206c979c35ddf50f28910385a332
MD5 hash:
dccceda8100bee44269b1a896a9da7d6
SHA1 hash:
a2e7f4f138c572193227358560999b3184c6467e
Detections:
Socks5Systemz
Create hunting rule
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
a450738c71bcf483896b82eb19037adc430dde07a03ecf6f1bcf8e618fc60009
MD5 hash:
702f837767d59e7758522765edbc79e6
SHA1 hash:
c5dbda446fbf93b692d54c0f809c8b57809e7fc9
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2
MD5 hash:
0ee914c6f0bb93996c75941e1ad629c6
SHA1 hash:
12e2cb05506ee3e82046c41510f39a258a5e5549
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81
MD5 hash:
4ff75f505fddcc6a9ae62216446205d9
SHA1 hash:
efe32d504ce72f32e92dcf01aa2752b04d81a342
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
5380216f4e1268080676fdb088daa8eba5ad4604fc4594a9c28126897a5be265
MD5 hash:
cd26c5420b001f4c6de2157bb96625ee
SHA1 hash:
4476740041c9e6cd7a9642a2ee4bfbd8cee1075a
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
SH256 hash:
ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d
MD5 hash:
53705ea8e751683bbf79647dd176fe08
SHA1 hash:
3145ffe785659102c1a100304c7b5e06944e76e5
Link:
https://www.unpac.me/results/0d8dbf6c-4186-4125-ad8b-806565826da6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Socks5 Systemz
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe ecec24177e0f9e7db1485a14a15914f327a863b7b0ec20c2b954c7b7b01b806d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2845618/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments


Avatar
zbet commented on 2024-05-10 14:20:09 UTC

url : hxxps://gig.fastbutters.com/style/080.exe