MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781
SHA3-384 hash: a7604f037cbc10bd4bd29a65effae3394e689606b3c1e51553024f4cf3bd15346cd97c86418b84894b1b78b3a9222006
SHA1 hash: 0514599e2458d23e8ac2bb44186c346e003ed5ee
MD5 hash: 7c2c6d7072d7cab1e73d979ad8c2c7a7
humanhash: nine-angel-autumn-michigan
File name:7c2c6d7072d7cab1e73d979ad8c2c7a7.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:2'724'864 bytes
First seen:2024-02-27 17:30:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 49152:C9A+QNTB8wzyUbJ7NCkDg/Xt1dAf3p0dj77Sm4k5UIpEiiUeiPZI3tCT:MAdOKv5NCekJgWd/7SM5T+rl3+
Threatray 95 similar samples on MalwareBazaar
TLSH T1AFC53384245AE5F5E0FA44F05CC4C73229837894FA7BD02673ECAC0F9F2ABA119257D9
TrID 69.7% (.EXE) Inno Setup installer (107240/4/30)
9.2% (.EXE) Win32 Executable Delphi generic (14182/79/4)
8.5% (.SCR) Windows screen saver (13097/50/3)
4.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.9% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe Socks5Systemz


Avatar
abuse_ch
Socks5Systemz C2:
195.16.74.230:80

Intelligence

File Origin
# of uploads :
1
# of downloads :
411
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
b5724d1ea8d2a379e0989ab74ab7719ed93d94dee8638b3dc31e53569cc36107.exe
Verdict:
Malicious activity
Analysis date:
2024-02-27 21:35:49 UTC
Tags:
loader smoke smokeloader stealer stealc evasion trojan glupteba
Link:
https://app.any.run/tasks/6ef67899-9eef-4192-994f-5ae33c4626aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478039/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Modifying a system file
Creating a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65de1c5a781f57164644e86d/reports/f01687d3-77a7-4647-86dd-54bb3f555fa5/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f26ac79-93c7-4d84-bda5-0456fc5c45fc
Result
Threat name:
Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1399799
Signature
Antivirus detection for dropped file
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Snort IDS alert for network traffic
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
Score:
13%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-02-27 17:31:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5uye52xscwei2y52q2jibwesajmhb5ukupw3pi6hmzaxgis646aq._file
Verdict:
malicious
Similar samples:
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Socks5Systemz
4a69bb4dd89dc961d532e02c829b45d7cf42e3668b22f7f442548aaa99b10986
Socks5Systemz
5aa92bfd228195b36e88e6b22e27a4802596d1c7803d20b0d943f0207e563844
Socks5Systemz
61e3e7ec4a16c29338da66134fbfc35580e7515b39f7e458321d3235d27b3441
Socks5Systemz
b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
Socks5Systemz
e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
Socks5Systemz
ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781
Socks5Systemz
+ 85 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240227-v3pkwsfa95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Malware Config
C2 Extraction:
http://dituoua.info/search/?q=67e28dd83f0bf1291606a9177c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978f171ea771795af8e05c646db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923b6e8efa14c1ec95
http://bhfagby.com/search/?q=67e28dd8655aa729110daa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a771ea771795af8e05c646db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef611c5ea949e32
Unpacked files
SH256 hash:
96cdaeeb637802b24dacbec175b29e31eb8060c19f4f9731cd27d35527aedc73
MD5 hash:
35f011af02dd6cbf0798ae686a87f6f2
SHA1 hash:
da2c77f8328fe612a2ab206207c658cd0ad07d74
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
2b16b75147ec72c410562d363fc90a9113792221398900bf0f3386a0b87f803d
MD5 hash:
c0b9dfbded949ab59a5a8c61f21cf1b3
SHA1 hash:
d626e9a0f99efeead3a40979bce3be85b65b1b67
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
e4fc574a01b272c2d0aed0ec813f6d75212e2a15a5f5c417129dd65d69768f40
MD5 hash:
c8871efd8af2cf4d9d42d1ff8fadbf89
SHA1 hash:
d0eacd5322c036554d509c7566f0bcc7607209bd
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
1f3cff9f8b189e6789d679f6b0dfc7653b9bee066858c1c3966ba1041aa55dff
MD5 hash:
6b73c7a38ecdc3f16a8698bb8473b324
SHA1 hash:
e08ea86f2e5bae66fbada9939c8dbbd244531b2c
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
9a76137e5822446096ad4cd1f0bd34e80becb26390662a4eadfe1c39d8125287
MD5 hash:
42b4200301ca0a6b6bfcfda4f5857964
SHA1 hash:
34842e3d20e3e65fed932f4f0fb32eb42fca822b
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
413bf337437b99ae8cf35f6cb868cbfb8b0d3ace71facce81a55a05323eec197
MD5 hash:
27e66723dbfff79bacb194572e820002
SHA1 hash:
1e08070a69350c41e0681188835cd8bafed75ade
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
SH256 hash:
ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781
MD5 hash:
7c2c6d7072d7cab1e73d979ad8c2c7a7
SHA1 hash:
0514599e2458d23e8ac2bb44186c346e003ed5ee
Link:
https://www.unpac.me/results/492a758f-34fc-4efe-9049-afd728d01ca5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe ed304eeaf215888d63ba869280d892025870f68aa3edb7a3c7664173225ee781

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2770349/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/478039/

Comments