MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
SHA3-384 hash: 1ce620875e5b7aca0cd2e981b8483a0e5f073cecbf8f3f56f9a1e8431f5801a3a2900a3d7a213f089e6721615abfa782
SHA1 hash: 85c6e2cd79a0dea309e749bc88bcde71eabea5d7
MD5 hash: 6418ae173da68ab404b49a2e92d38482
humanhash: sad-georgia-georgia-blue
File name:tuc6.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'832'133 bytes
First seen:2023-12-11 17:27:28 UTC
Last seen:2023-12-11 19:31:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'571 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:9q/iLRC0OLkYNew6tjCtD2RQVsBp4UAzj:9HC9Lkuew6t2oCO9Azj
Threatray 5'193 similar samples on MalwareBazaar
TLSH T100863305189AA5F9E0BDC23375970ED5578BEFA305AD80AE70CF34A6E735026D48CB27
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc6.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465809/
Detection(s):
SecuriteInfo.com.FileRepMalware.26681.11210.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/657746aa81a3a8ec606e8421/reports/6952d56c-a97b-4bd1-a8f3-0b00c53c8095/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332570
Link:
https://www.hybrid-analysis.com/sample/efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
Result
Verdict:
MALICIOUS
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358764
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1358764 Sample: tuc6.exe Startdate: 11/12/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Detected unpacking (changes PE section rights) 2->49 51 6 other signatures 2->51 8 tuc6.exe 2 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\Temp\...\tuc6.tmp, PE32 8->33 dropped 11 tuc6.tmp 17 76 8->11         started        process5 file6 35 C:\Program Files (x86)\...\gifplayer.exe, PE32 11->35 dropped 37 C:\Program Files (x86)\...\is-IFQI6.tmp, PE32 11->37 dropped 39 C:\Program Files (x86)\...\is-C1AT9.tmp, PE32 11->39 dropped 41 56 other files (none is malicious) 11->41 dropped 53 Uses schtasks.exe or at.exe to add and modify task schedules 11->53 15 gifplayer.exe 1 15 11->15         started        18 net.exe 1 11->18         started        20 gifplayer.exe 1 2 11->20         started        23 schtasks.exe 1 11->23         started        signatures7 process8 dnsIp9 43 bhlvcmi.com 185.196.8.22, 49709, 49710, 49711 SIMPLECARRER2IT Switzerland 15->43 25 conhost.exe 18->25         started        27 net1.exe 1 18->27         started        31 C:\ProgramData\L76Storage\L76Storage.exe, PE32 20->31 dropped 29 conhost.exe 23->29         started        file10 process11
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 17:28:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 23 (43.48%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57irz7daqgpb64yox7szuo2cs7th7d3t7qwh3g36du7uk2oifcea._file
Verdict:
malicious
Similar samples:
1c4e591647e363d64e42b2a39e77b5ba7ebca7e3ce5809d6e47db76ac4de416f
Socks5Systemz
665229e3334ffff69c0acb49b81160f55641047b218d54faf715762e5d522771
Socks5Systemz
bb78b7844740741f9be46088c326ce39f67aa3ed7632ae9fdac395402a3b90b6
Socks5Systemz
c295e141f17e2b95ffab1ee16c21b107625f39ae1d1fccfd7585ca4b26f0f63e
Socks5Systemz
d1f88711031572745a05a3258d03fad566e4bbae144297d9e911d4e6d0892650
Socks5Systemz
f6ed6fb6a36fea3aea7ffeede469aa4d8b32d98f25f6c07789cc42e49ca92477
Socks5Systemz
fc3da9afd0ae15e47c19f176807017bc16b05beda7c96fab5366455f658f7b1c
Socks5Systemz
+ 5'183 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231211-v1z9lsdbhq/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
bfe1ab607dfba71517a995a31be6628c8673dc723660804fd30f374d3989359c
MD5 hash:
e82f019ab3c2e83c05abd197c7912003
SHA1 hash:
a705c9f56bc7d7d0c6591d23337d89fdbabce756
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
SH256 hash:
42b08618ddef04501f4333e08b54534af17236ec93fa8027ff7474502b23cd09
MD5 hash:
9400ad15a1e12c269c410563385e9699
SHA1 hash:
9cd927067edd0e129511daa2c9490de1a065b577
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
Parent samples :
d1f88711031572745a05a3258d03fad566e4bbae144297d9e911d4e6d0892650
bb78b7844740741f9be46088c326ce39f67aa3ed7632ae9fdac395402a3b90b6
9a5b1b3cfec6fe3feffc1828f9aefbb7ed857ac1f685d7a4a7d03a2f4f2da473
20e1bc22059779cfa7e9838effb4cae450ef2abeb136a9a514843621de6a94b0
94c26274288aa3334887056ba82a1405f7ad45de26d8d5bbbb1969632affac3f
91b864c3e28329a016721a24a0b32bb96a663497998987e21f6d6aeaa07a6983
02e98ce256c70f3979ef98e8008c63faa27485bbad969b50ef488003f8c1520d
cef65b36676d8e31554857722e68ea52bd6947a5fc81d1994c8ddb72688b4e30
a2eb1636200cc61142db562bbbba5257f3b1ee99a9b6a57edc245ab4422a4af3
cf64a7e834776f309e3d6a2ef19029848418612b409a35b56379dd588838f7bc
c47c8805dca720e93aae915cc686a739a717dded4010268f543afc30fb24c2e7
96ac28d64f1b6e88e24cd62d92657c1cc9ae9a9e051b222acebb65da92bbc7bb
efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
85c9b13789f6315bbaef02096d7cf0540da5b770c19784c611f4f5d7ea19e294
17380dda4cd21ab9d199f5f55995eb4028f2f00663b46fb9929907891ffce4a7
e22e62b329e275990831026e90ee2805cf80f8e41949fecd60eae74bff25193a
60cd461842eaa1621b9cfdcbc8a384cc224dce2a9bcb4a68e17652abb1f9b436
d3e66a86901bf40b4bff71fc541106b9df5184ab997849e517a1554e59f5b6bf
ef60c581b98c5357f5e2a2d326e7b3035221d74e4e43da43a2e3256ec12b98cf
cbca4ad4b670ace33c83c4051635a7effac32555e1fff769715d3acbc0be17bb
8467fa352acf545389e9c68fa6a6c6c9779f7b95478f9be9c8c541a70dbffeff
1d330faac1fc05ce311de908bb92c08bba23370cc34bbd0db57d6baf96d269ad
6bb2cd8189148967c0c4297ec0f22a4f87c1cf5feba29f92ddbf05f530ef34a7
de9095c408a7b50219a4e13a3f4d06886f768a4adbfabff4de6f518e2ddc2575
05388f6b96bfc1c5a122dd61df6c6d08c0c213279be8aab0daa365a0b6948cad
8d476c6ee49c7a0237d3ac2712f09b534df737909b9c14fc3a605d0d2f3af974
4e4becff75eae1aeee662345e4beddbfcb25a1569e34fcffac50bc37d1699a8b
903f8b80903719b63bc5d77089b7caca96237bf3168e24aea2ac4ed68d08ce12
f1960e2af828e94ecd479567d4de7fd49f935ee871688281aaf5e0a400931cc8
5440041dc558c86aa964d8fcc5e6ab01aa854c048b0363549623048e0d0804b5
484e52da1547b8c7ab46fa2bb39332ec1d53a789a4e7e43157ede9bb7fce14a3
9daec2ec01cec0d95ee465c26f626bb74e833f9cca63bd4837973dffc2adcc9e
4d1e2ae81db917105718e5a0e3a22cba19b0426cca7df283cfbd69511e100b73
3fb9036f355948b854ef4d2ebcfa0fae40a2f86610377e6a900c7ef9f4e563b2
f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
4182cdcb48d68ca1ffd01b1a39552dc2dbbe295e89888e7b6f3b79f4b0722bc5
6ccff2d3bebbf7459cbd7b931e5f4a53c2decf1343fcf6b3d5fd83e4c1342579
da127dddc8b1da4c565b782548931b802adb48aaae0dca72484ecbd5f90f48dc
9b64b1133823617feeda35271a5b33a58d75eeb1e3a0e8694c2ff24e8e540a8e
b42317dc4e90801d512fe84dfb8d8011ad0d74b5e2fd753e6d3610ec1c25b2c8
84afa721485a66d25ac21421318f8f3ab6d66d89ce07e39f3bb5ed9d534275aa
a50171ac48fe364e675369017f93b9ffcc47fc242bc53a75abff69190065b2ac
cecee9581175178ae3e7d27e4bb7f1985252dbf762701bf66da2dee5ea6e5347
6cf2dbf5f3762bf2b8bf296163a99cbc0262d250d379ab52bb768904478ecbb4
6d1b0b5ae2cb5b8587f5cbf3e0ef31416fda656f9e021f13e9262ae82f1f11e3
edfcd2fc9c4a94161c83938b0ff0fd3283016baf92ccc8f7cc2d0bc28e87f7a7
d0be042a88554abd9e58ef3cdc104d4ca8c398e5fa776f43e73cc32713786744
88b9db0f51aa205f0541fb1b24229783e5272b8a7da04558f3766e9e0c925e3e
82a6e69102a172dc645d0819b5b2bc9e865496dfde18353301e07d22d4a488dd
fe26e5567fb982c642effd3d160e1b9fa91bb5a096cbecc9c5b641c9679053d0
2f9b19f4a24345d298d210092e8d08be838edb980fea53114042207e402fb086
a13d132d8bc48ef6dda59d5231252c91c58608c423d52c656e6bbc4c76f6ee8d
7aa93649301ee88643af808b8c1ab6c2da159958783e9083922b433722fbb7f7
4674fbee054b7863da253d3ae7afe90478baaec2a90839f5be9220b150e08acb
d5b6295bd122b66a7023f15ed09d302b1352d5ae6bbbed7e65d4ea2d29a6f948
db0eaa3064aa48c12560965ffb8e0211078a9b20ffc8de23fc1c18291d2b02cd
SH256 hash:
f53a6547d46f0385db031b61f98df49ddb1909d9e95e360f32bef61dfd8a3a97
MD5 hash:
393f9ee99cc12838305605cf6b867c29
SHA1 hash:
adc3a67251142140a8d35c7111a933cbc44a5ff3
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
SH256 hash:
444c9128114c59e174dec3a243760f73843021b91cfab7959d71ee03b569c63c
MD5 hash:
c3f876aa5806a3e6815dc841a792f5bd
SHA1 hash:
83e3fdff1e387991c69d69d4cc6f53182d52131b
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
SH256 hash:
bc1add59bc53afcb754ac0340be7b4057cc99e4d07f685d83da9bee6806e16e6
MD5 hash:
989684ea242f08359a08cfa617d17aed
SHA1 hash:
682ef0031d444dcb4fe5d8222d1cd3d28da2f8b2
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
SH256 hash:
efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
MD5 hash:
6418ae173da68ab404b49a2e92d38482
SHA1 hash:
85c6e2cd79a0dea309e749bc88bcde71eabea5d7
Link:
https://www.unpac.me/results/d9c63ed3-a424-419f-b177-e02d8c3958d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc6.exe
Cape
Cape
https://www.capesandbox.com/analysis/465809/

Comments