MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Socks5Systemz


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e
SHA3-384 hash: 2d4796b5d9119fe44abaa48420d79309c7b14a6e4a9071e385bc2df12fc42fdd395d90c8ae920645295a82014d0ca2b0
SHA1 hash: b34199355417eb56c97c7ace31d5faa716405479
MD5 hash: b87e53716d1d15ee4d62bbf2a8a9f506
humanhash: berlin-grey-september-dakota
File name:b87e53716d1d15ee4d62bbf2a8a9f506
Download: download sample
Signature Socks5Systemz
Create hunting rule
File size:19'292'024 bytes
First seen:2023-11-14 14:56:44 UTC
Last seen:2023-11-14 16:32:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:ONqJQjRk/+knA9vau6V3b6OzOqJh15pMWBFnHXHsuQCU5SlMZ5SYr0D8udrjiXD8:v5xHwSlOEYk8CiX0nN
Threatray 4 similar samples on MalwareBazaar
TLSH T119176B61D2F1AA5DE4DB85328E2063F8A2B39427B713E396DC04E936742C6D7CEC4563
TrID 45.5% (.EXE) Win64 Executable (generic) (10523/12/4)
19.4% (.EXE) Win32 Executable (generic) (4505/5/1)
8.9% (.ICL) Windows Icons Library (generic) (2059/9)
8.7% (.EXE) OS/2 Executable (generic) (2029/13)
8.6% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:32 exe signed Socks5Systemz

Code Signing Certificate

Organisation:install rox inc
Issuer:install rox inc
Algorithm:sha256WithRSAEncryption
Valid from:2023-11-14T00:51:20Z
Valid to:2024-11-14T00:51:20Z
Serial number: 23e73beb42611f940ec6cf5b3232e338
Thumbprint Algorithm:SHA256
Thumbprint: d0d4539b5df82e8be34ef4f0e528e0ec43b04c00f77de5be8fa576e5073f28f6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.30886.5314.152.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a window
Using the Windows Management Instrumentation requests
Searching for the window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file in the %AppData% subdirectories
Launching the process to interact with network services
Creating a service
Running batch commands
Blocking the User Account Control
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a recently created process
Enabling autorun for a service
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint lolbin msbuild msdeploy overlay packed remote replace stealer
Link:
https://www.filescan.io/uploads/65538ac48dacd6e41c328873/reports/d2ae5534-3c25-44e6-90d0-ef4668bae0ff/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e
Result
Verdict:
MALICIOUS
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6485a62a-11ef-4fcf-8a68-6b71ccea2d21
Result
Threat name:
Socks5Systemz, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1342406
Signature
.NET source code contains potential unpacker
.NET source code contains process injector
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to infect the boot sector
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found hidden mapped module (file has been removed from disk)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Drops script at startup location
Sigma detected: Stop multiple services
System process connects to network (likely due to code injection or exploit)
Uses powercfg.exe to modify the power settings
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Socks5Systemz
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1342406 Sample: Vl2iPhZcp2.exe Startdate: 14/11/2023 Architecture: WINDOWS Score: 100 137 Malicious sample detected (through community Yara rule) 2->137 139 Antivirus detection for URL or domain 2->139 141 Multi AV Scanner detection for dropped file 2->141 143 15 other signatures 2->143 10 Vl2iPhZcp2.exe 2 4 2->10         started        13 cmd.exe 2->13         started        15 updater.exe 2->15         started        18 6 other processes 2->18 process3 file4 157 Writes to foreign memory regions 10->157 159 Allocates memory in foreign processes 10->159 161 Adds a directory exclusion to Windows Defender 10->161 173 2 other signatures 10->173 20 CasPol.exe 15 332 10->20         started        25 powershell.exe 23 10->25         started        163 Uses powercfg.exe to modify the power settings 13->163 165 Modifies power options to not sleep / hibernate 13->165 27 is-JQID9.tmp 13->27         started        29 sc.exe 13->29         started        37 5 other processes 13->37 117 C:\Windows\Temp\icqgdmrkohjc.sys, PE32+ 15->117 dropped 119 C:\Windows\Temp\fmuxutjjwbws.tmp, PE32+ 15->119 dropped 167 Protects its processes via BreakOnTermination flag 15->167 169 Injects code into the Windows Explorer (explorer.exe) 15->169 171 Modifies the context of a thread in another process (thread injection) 15->171 175 2 other signatures 15->175 31 explorer.exe 15->31         started        33 conhost.exe 15->33         started        35 conhost.exe 18->35         started        39 18 other processes 18->39 signatures5 process6 dnsIp7 127 91.92.243.139 THEZONEBG Bulgaria 20->127 129 111.90.146.230 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 20->129 133 15 other IPs or domains 20->133 73 C:\Users\...\zcyJu4YBV2N1qw1ajOejS2wQ.exe, PE32+ 20->73 dropped 75 C:\Users\...\yXgzuNYhXIRKkNmXwHgtj2pI.exe, PE32+ 20->75 dropped 77 C:\Users\...\yLNBnic82EfT3eqcGVmEEdYm.exe, PE32+ 20->77 dropped 85 195 other malicious files 20->85 dropped 145 Drops script or batch files to the startup folder 20->145 147 Creates HTML files with .exe extension (expired dropper behavior) 20->147 149 Writes many files with high entropy 20->149 151 Modifies power options to not sleep / hibernate 20->151 41 0KDUgutDpUi8FVWwfdkymbBW.exe 20->41         started        44 JeDGnvymejN02T9bEv96udLo.exe 20->44         started        46 4YCVc1De1a4RqJLiwTiIetLa.exe 20->46         started        53 2 other processes 20->53 49 conhost.exe 25->49         started        79 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 27->79 dropped 81 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 27->81 dropped 83 C:\Program Files (x86)\...\is-866PM.tmp, PE32 27->83 dropped 87 25 other files (24 malicious) 27->87 dropped 51 Conhost.exe 29->51         started        131 142.202.242.45 1GSERVERSUS Reserved 31->131 153 System process connects to network (likely due to code injection or exploit) 31->153 155 Query firmware table information (likely to detect VMs) 31->155 file8 signatures9 process10 dnsIp11 105 C:\Users\user\AppData\Local\...\is-AKFSN.tmp, PE32 41->105 dropped 56 is-AKFSN.tmp 41->56         started        107 C:\Users\user\AppData\Local\...\is-GEBJ4.tmp, PE32 44->107 dropped 59 is-GEBJ4.tmp 44->59         started        109 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 46->109 dropped 111 C:\Windows\System32\drivers\etc\hosts, ASCII 46->111 dropped 177 Modifies the hosts file 46->177 179 Adds a directory exclusion to Windows Defender 46->179 135 104.21.38.126 CLOUDFLARENETUS United States 53->135 113 C:\Users\user\AppData\Local\...\is-JQID9.tmp, PE32 53->113 dropped file12 signatures13 process14 file15 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->89 dropped 91 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 56->91 dropped 93 C:\Program Files (x86)\...\is-VSMC6.tmp, PE32 56->93 dropped 101 27 other files (26 malicious) 56->101 dropped 61 IsoBuster_1121.exe 56->61         started        64 net.exe 56->64         started        66 IsoBuster_1121.exe 56->66         started        95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 59->95 dropped 97 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 59->97 dropped 99 C:\Program Files (x86)\...\is-UFLUO.tmp, PE32 59->99 dropped 103 25 other files (24 malicious) 59->103 dropped process16 dnsIp17 115 C:\ProgramData\Audio Tuner\Audio Tuner.exe, PE32 61->115 dropped 69 conhost.exe 64->69         started        71 net1.exe 64->71         started        121 51.159.66.125 OnlineSASFR France 66->121 123 94.23.58.173 OVHFR France 66->123 125 185.141.63.172 BELCLOUDBG Bulgaria 66->125 file18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-11-14 14:57:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73mswewmb66hloy5drtb4ftv63ra2j6w2a6skf2fg3lrcjolpiha._file
Verdict:
malicious
Similar samples:
7e2fc238252c47231d37ab938055672b07423ce2688bb32cff3b97dc179fee9b
Socks5Systemz
cb15630de2fc38b0f07691ab16cfebcc1a6a940c867c0fc41a811c26525d9fc4
Socks5Systemz
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:glupteba family:xmrig discovery dropper evasion loader miner persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/231114-sbk3aada8x/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
Windows security modification
Checks computer location settings
Drops startup file
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies boot configuration data using bcdedit
XMRig Miner payload
Glupteba
Glupteba payload
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Windows security bypass
xmrig
Unpacked files
SH256 hash:
d2bc0ffcc8dfd3a427fb53886fb73496015781576538b570036ede16e4d917c7
MD5 hash:
f202e579cb2887d050666b1d0f4838d4
SHA1 hash:
fedae7f500630f303e0e2feeab0890f1e238da01
Link:
https://www.unpac.me/results/a56db22c-cfe9-41f8-b527-f40ac2dbb09d/
SH256 hash:
fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e
MD5 hash:
b87e53716d1d15ee4d62bbf2a8a9f506
SHA1 hash:
b34199355417eb56c97c7ace31d5faa716405479
Link:
https://www.unpac.me/results/a56db22c-cfe9-41f8-b527-f40ac2dbb09d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fed92b12cc0f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Socks5Systemz

Executable exe fed92b12cc0fbc75bb1d1c661e1675f6e20d27d6d03d25174536d71125cb7a0e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2730663/

Comments


Avatar
zbet commented on 2023-11-14 14:56:45 UTC

url : hxxp://91.92.243.139/files/11.exe