MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
SHA3-384 hash: 431491c5e02e8af7b102a5d217a212bb30391f95a08ffbeceae1b4053752b8ca156239644d56da377e0020384d8a7072
SHA1 hash: 80ca4664fe8fa11970eeb4b994902aa34256ad25
MD5 hash: d40b32f85af834cb19e8e0fdfd218bd9
humanhash: mars-green-may-item
File name:tuc6.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:7'832'133 bytes
First seen:2023-12-11 19:07:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'571 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 196608:Hq/iLRC0OLkYNew6tjCtD2RQVsBp4UAzj:HHC9Lkuew6t2oCO9Azj
Threatray 5'488 similar samples on MalwareBazaar
TLSH T103863305189AA5F9E0BDC23375970ED5578BEFA305AD80AE70CF34A6E735026D48CB27
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon fefce49e86c0fcfe (884 x Socks5Systemz, 259 x RaccoonStealer)
Reporter Xev
Tags:exe Socks5Systemz


Avatar
NIXLovesCooper
Downloaded from http://never.hitsturbo.com/order/tuc6.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/465982/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12104.11634.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching a process
Modifying a system file
Sending a custom TCP request
Creating a file
Creating a service
Launching the process to interact with network services
Enabling autorun for a service
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65775e19855eb2633d66f344/reports/aca5542c-dc02-4f42-afa7-28028fab8b90/overview
Verdict:
Malicious
Labled as:
HEUR/AGEN.1332570
Link:
https://www.hybrid-analysis.com/sample/f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f431f22d-1ae7-4f0c-ac42-a4fb3442e948
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1358890
Behaviour
Behavior Graph:
n/a
Score:
69%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-11 19:08:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
12 of 23 (52.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6g5e7qweebh6tnfpjz32qc2ptddm5xjp57cqevore5ramq4n33va._file
Verdict:
malicious
Similar samples:
1c4e591647e363d64e42b2a39e77b5ba7ebca7e3ce5809d6e47db76ac4de416f
Socks5Systemz
665229e3334ffff69c0acb49b81160f55641047b218d54faf715762e5d522771
Socks5Systemz
bb78b7844740741f9be46088c326ce39f67aa3ed7632ae9fdac395402a3b90b6
Socks5Systemz
c295e141f17e2b95ffab1ee16c21b107625f39ae1d1fccfd7585ca4b26f0f63e
Socks5Systemz
d1f88711031572745a05a3258d03fad566e4bbae144297d9e911d4e6d0892650
Socks5Systemz
f6ed6fb6a36fea3aea7ffeede469aa4d8b32d98f25f6c07789cc42e49ca92477
Socks5Systemz
fc3da9afd0ae15e47c19f176807017bc16b05beda7c96fab5366455f658f7b1c
Socks5Systemz
+ 5'478 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/231211-xs8l5agee5/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Unpacked files
SH256 hash:
bfe1ab607dfba71517a995a31be6628c8673dc723660804fd30f374d3989359c
MD5 hash:
e82f019ab3c2e83c05abd197c7912003
SHA1 hash:
a705c9f56bc7d7d0c6591d23337d89fdbabce756
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
SH256 hash:
42b08618ddef04501f4333e08b54534af17236ec93fa8027ff7474502b23cd09
MD5 hash:
9400ad15a1e12c269c410563385e9699
SHA1 hash:
9cd927067edd0e129511daa2c9490de1a065b577
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
Parent samples :
d1f88711031572745a05a3258d03fad566e4bbae144297d9e911d4e6d0892650
bb78b7844740741f9be46088c326ce39f67aa3ed7632ae9fdac395402a3b90b6
9a5b1b3cfec6fe3feffc1828f9aefbb7ed857ac1f685d7a4a7d03a2f4f2da473
20e1bc22059779cfa7e9838effb4cae450ef2abeb136a9a514843621de6a94b0
94c26274288aa3334887056ba82a1405f7ad45de26d8d5bbbb1969632affac3f
91b864c3e28329a016721a24a0b32bb96a663497998987e21f6d6aeaa07a6983
02e98ce256c70f3979ef98e8008c63faa27485bbad969b50ef488003f8c1520d
cef65b36676d8e31554857722e68ea52bd6947a5fc81d1994c8ddb72688b4e30
a2eb1636200cc61142db562bbbba5257f3b1ee99a9b6a57edc245ab4422a4af3
cf64a7e834776f309e3d6a2ef19029848418612b409a35b56379dd588838f7bc
c47c8805dca720e93aae915cc686a739a717dded4010268f543afc30fb24c2e7
96ac28d64f1b6e88e24cd62d92657c1cc9ae9a9e051b222acebb65da92bbc7bb
efd11cfc60819e1f730ebfe59a3b4297e67f8f73fc2c7d9b7e1d3f4569c82888
85c9b13789f6315bbaef02096d7cf0540da5b770c19784c611f4f5d7ea19e294
17380dda4cd21ab9d199f5f55995eb4028f2f00663b46fb9929907891ffce4a7
e22e62b329e275990831026e90ee2805cf80f8e41949fecd60eae74bff25193a
60cd461842eaa1621b9cfdcbc8a384cc224dce2a9bcb4a68e17652abb1f9b436
d3e66a86901bf40b4bff71fc541106b9df5184ab997849e517a1554e59f5b6bf
ef60c581b98c5357f5e2a2d326e7b3035221d74e4e43da43a2e3256ec12b98cf
cbca4ad4b670ace33c83c4051635a7effac32555e1fff769715d3acbc0be17bb
8467fa352acf545389e9c68fa6a6c6c9779f7b95478f9be9c8c541a70dbffeff
1d330faac1fc05ce311de908bb92c08bba23370cc34bbd0db57d6baf96d269ad
6bb2cd8189148967c0c4297ec0f22a4f87c1cf5feba29f92ddbf05f530ef34a7
de9095c408a7b50219a4e13a3f4d06886f768a4adbfabff4de6f518e2ddc2575
05388f6b96bfc1c5a122dd61df6c6d08c0c213279be8aab0daa365a0b6948cad
8d476c6ee49c7a0237d3ac2712f09b534df737909b9c14fc3a605d0d2f3af974
4e4becff75eae1aeee662345e4beddbfcb25a1569e34fcffac50bc37d1699a8b
903f8b80903719b63bc5d77089b7caca96237bf3168e24aea2ac4ed68d08ce12
f1960e2af828e94ecd479567d4de7fd49f935ee871688281aaf5e0a400931cc8
5440041dc558c86aa964d8fcc5e6ab01aa854c048b0363549623048e0d0804b5
484e52da1547b8c7ab46fa2bb39332ec1d53a789a4e7e43157ede9bb7fce14a3
9daec2ec01cec0d95ee465c26f626bb74e833f9cca63bd4837973dffc2adcc9e
4d1e2ae81db917105718e5a0e3a22cba19b0426cca7df283cfbd69511e100b73
3fb9036f355948b854ef4d2ebcfa0fae40a2f86610377e6a900c7ef9f4e563b2
f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
4182cdcb48d68ca1ffd01b1a39552dc2dbbe295e89888e7b6f3b79f4b0722bc5
6ccff2d3bebbf7459cbd7b931e5f4a53c2decf1343fcf6b3d5fd83e4c1342579
da127dddc8b1da4c565b782548931b802adb48aaae0dca72484ecbd5f90f48dc
9b64b1133823617feeda35271a5b33a58d75eeb1e3a0e8694c2ff24e8e540a8e
b42317dc4e90801d512fe84dfb8d8011ad0d74b5e2fd753e6d3610ec1c25b2c8
84afa721485a66d25ac21421318f8f3ab6d66d89ce07e39f3bb5ed9d534275aa
a50171ac48fe364e675369017f93b9ffcc47fc242bc53a75abff69190065b2ac
cecee9581175178ae3e7d27e4bb7f1985252dbf762701bf66da2dee5ea6e5347
6cf2dbf5f3762bf2b8bf296163a99cbc0262d250d379ab52bb768904478ecbb4
6d1b0b5ae2cb5b8587f5cbf3e0ef31416fda656f9e021f13e9262ae82f1f11e3
edfcd2fc9c4a94161c83938b0ff0fd3283016baf92ccc8f7cc2d0bc28e87f7a7
d0be042a88554abd9e58ef3cdc104d4ca8c398e5fa776f43e73cc32713786744
88b9db0f51aa205f0541fb1b24229783e5272b8a7da04558f3766e9e0c925e3e
82a6e69102a172dc645d0819b5b2bc9e865496dfde18353301e07d22d4a488dd
fe26e5567fb982c642effd3d160e1b9fa91bb5a096cbecc9c5b641c9679053d0
2f9b19f4a24345d298d210092e8d08be838edb980fea53114042207e402fb086
a13d132d8bc48ef6dda59d5231252c91c58608c423d52c656e6bbc4c76f6ee8d
7aa93649301ee88643af808b8c1ab6c2da159958783e9083922b433722fbb7f7
4674fbee054b7863da253d3ae7afe90478baaec2a90839f5be9220b150e08acb
d5b6295bd122b66a7023f15ed09d302b1352d5ae6bbbed7e65d4ea2d29a6f948
db0eaa3064aa48c12560965ffb8e0211078a9b20ffc8de23fc1c18291d2b02cd
SH256 hash:
bd1b7b1518c9f3077b2062d7fcaf966c70ee01a05446f3d2953bd42f92bb1124
MD5 hash:
fba116732ff5af8872f4c8a8ff675eb7
SHA1 hash:
cf5680aaaba2e5fdbcae4e6acc862474309f2fc5
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
SH256 hash:
0d68e1b7fd3d5628f23e27aa116e9e7c25238f76c90326522b9922e6f116efea
MD5 hash:
ee56fb665c76806ffceea534458001c6
SHA1 hash:
b3e2a0191ac20de6462c2b04bef80b30b67e0fec
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
SH256 hash:
7511a0bc6edb251077e3838dcd82ab7fd2c073ce67fee67ceb54779225b11446
MD5 hash:
e11d367ad4483775d9ae1ed8c14a7d35
SHA1 hash:
9e33c475134b3696779e987748f6512a788ad52c
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
SH256 hash:
f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea
MD5 hash:
d40b32f85af834cb19e8e0fdfd218bd9
SHA1 hash:
80ca4664fe8fa11970eeb4b994902aa34256ad25
Link:
https://www.unpac.me/results/794a1a0d-91e1-487b-8cc4-752244a79466/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1ba4fc2c4204fe9b4af4e77a80b4f98c6cedd2fefc50255d1276206438ddeea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
http://never.hitsturbo.com/order/tuc6.exe
Cape
Cape
https://www.capesandbox.com/analysis/465982/

Comments