MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c
SHA3-384 hash: 2a3f4ffb57119df8851280d75133f7a4bc0f4ed1548452ca866a3bd23fc488ed9362ef8f38c85f72c3ca6100ae2e9368
SHA1 hash: 2f08abce4f8964b8515f7b0c0e851f9ecb444b01
MD5 hash: 8873173c1c94b042c77dea2b4a50f5f8
humanhash: delaware-mississippi-iowa-berlin
File name:tuc4.exe
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:4'702'577 bytes
First seen:2024-01-07 04:28:46 UTC
Last seen:2024-01-07 04:29:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'463 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:Q9G5fJcRNXXGN/sg15U4uzGLn98kt9vEV9IqAahg78B4dm8:95fJ0mEqgGL98mbKhg764dD
Threatray 17 similar samples on MalwareBazaar
TLSH T1572633C13478C0BCF1828936EE799285440B6BB91AB8121494EF8177DF6B6D8F31B79D
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter adm1n_usa32
Tags:exe Socks5Systemz

Intelligence

File Origin
# of uploads :
2
# of downloads :
315
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/469777/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file
Moving a recently created file
Launching the process to interact with network services
Modifying a system file
Creating a service
Launching a process
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/659a288e8369fab94de64a90/reports/b76e2224-7e55-46df-9cce-69ec948343a5/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Argotronic GmbH
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8aacaca4-4697-4a8e-8871-5a47ce908586
Result
Threat name:
Petite Virus, Socks5Systemz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1370882
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to infect the boot sector
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1370882 Sample: tuc4.exe Startdate: 07/01/2024 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 8 other signatures 2->46 8 tuc4.exe 2 2->8         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\tuc4.tmp, PE32 8->28 dropped 11 tuc4.tmp 17 62 8->11         started        process5 file6 30 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 11->30 dropped 32 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 11->34 dropped 36 81 other files (64 malicious) 11->36 dropped 14 smartimagestorage.exe 1 15 11->14         started        17 smartimagestorage.exe 1 2 11->17         started        20 net.exe 1 11->20         started        process7 dnsIp8 38 ezgomzb.ua 185.196.8.22, 49709, 49710, 49712 SIMPLECARRER2IT Switzerland 14->38 26 C:\...\High-quality math calculator 7.4.exe, PE32 17->26 dropped 22 conhost.exe 20->22         started        24 net1.exe 1 20->24         started        file9 process10
Score:
15%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-07 04:29:04 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
13 of 22 (59.09%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7z54rzgsdclmi2ifx4iod6ery335jrzrxiyjplrpg2nfswmrdioa._file
Verdict:
malicious
Similar samples:
08e99c84eae02bcadf577873cf34b6f87b718d83b9c8721e849888425ed9450d
Socks5Systemz
2c009fefcf337b8b5e4f0249aeb1627d3a39934097cf5fea75b16c5aa9a7f374
Socks5Systemz
44e639bba7c908625909ccc32eaaaa343591873b037a877fe21db85652b24564
Socks5Systemz
975c4ebf786941650ee40d182564b157ea7656befa2a343cccff3c4952fedbda
Socks5Systemz
986ac471d320e58d3398bb0ca041f53286265a3d3719543d07c32b27025b85ce
Socks5Systemz
daa74b36d89c37396f2df487ad202f513ea6779793e7a3fc6243d33d8f82fbea
Socks5Systemz
df7b3f70371116dcbde25dd117254de513f9abe9ca80559498c38cfa04b6503f
Socks5Systemz
f47ae4e664869d909874896cdc389a1a808054a9cd8bd495fe77d608bd01065a
Socks5Systemz
+ 7 additional samples on MalwareBazaar
Result
Malware family:
socks5systemz
Create hunting rule
Score:
  10/10
Tags:
family:socks5systemz botnet discovery
Link:
https://tria.ge/reports/240107-e38qrsfeg5/
Behaviour
Runs net.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Unexpected DNS network traffic destination
Detect Socks5Systemz Payload
Socks5Systemz
Unpacked files
SH256 hash:
6a808f20fba640883f5850f82f177164001e8eb1605d26e1b55df504c63c23c8
MD5 hash:
bb6ebc0c215caaea7accfc31a6390133
SHA1 hash:
da0aa0064d0da2460b2489021101bb56ce5e2f31
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
SH256 hash:
ea33397cf20161caf918edb0a16e4882d5e4470e0e6bc50ab67f876f2da34762
MD5 hash:
7f229b1a9bb4b650b46ed041a8009268
SHA1 hash:
c9c2d2dff8386a3ea2fc953fa9ca5eefd53531a5
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
SH256 hash:
6de19768c3cc70d39ccf3ded39e9ab1fbbb282b3fe3d22f1208a95be3a8411c2
MD5 hash:
5162eabb5c94e4022a2aa1bb5fb8d0ef
SHA1 hash:
fa63d6252563d2b0306af916921a3ebcb4f1fe4e
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
SH256 hash:
bb09bab59c1cfb3950cb49a3a396c980afa0f8d673ac9377e29914b5058f95f2
MD5 hash:
7caf38ee6ff5ef71c2f33d344acd5667
SHA1 hash:
b784a2ea865923f239e2c19989827db204b9f084
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
SH256 hash:
e05ac1b9103d265692823218abc29e0e2ead6b94b03aa779233cc7cffb4226ed
MD5 hash:
a58f2fda7407242ba5ce5d0371e52ed6
SHA1 hash:
a85fe06a906aaf549cb8828814e192e5a4d25864
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
SH256 hash:
fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c
MD5 hash:
8873173c1c94b042c77dea2b4a50f5f8
SHA1 hash:
2f08abce4f8964b8515f7b0c0e851f9ecb444b01
Link:
https://www.unpac.me/results/c0de2f73-18f1-4656-9e24-d3b333a81d0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe fe7bc8e4d21896c46905bf10e1f891c6f7d4c731ba3097ae2f369a5959911a1c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2741218/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745365/
  
URLhaus
https://urlhaus.abuse.ch/url/2745345/
  
URLhaus
https://urlhaus.abuse.ch/url/2745333/
  
URLhaus
https://urlhaus.abuse.ch/url/2745352/
  
URLhaus
https://urlhaus.abuse.ch/url/2741233/
  
URLhaus
https://urlhaus.abuse.ch/url/2745340/
  
URLhaus
https://urlhaus.abuse.ch/url/2739329/
  
URLhaus
https://urlhaus.abuse.ch/url/2739289/
  
URLhaus
https://urlhaus.abuse.ch/url/2741216/
  
URLhaus
https://urlhaus.abuse.ch/url/2741215/
  
URLhaus
https://urlhaus.abuse.ch/url/2745373/
  
URLhaus
https://urlhaus.abuse.ch/url/2741245/
  
URLhaus
https://urlhaus.abuse.ch/url/2745332/
  
URLhaus
https://urlhaus.abuse.ch/url/2741225/
  
URLhaus
https://urlhaus.abuse.ch/url/2745356/
  
URLhaus
https://urlhaus.abuse.ch/url/2741236/
  
URLhaus
https://urlhaus.abuse.ch/url/2741240/
Cape
Cape
https://www.capesandbox.com/analysis/469777/

Comments