socks5systemz | 96f1e5aec33e97a2526c6aedec8acdb852bc6053e6d5524ee16ddd2a3bcba577

General

Target

february.exe
Size

2.6MB
MD5

ac8fa0113e8e1e5caac9707c3baa6014
SHA1

ee807cee7130af13380a876418cb0492654315a0
SHA256

96f1e5aec33e97a2526c6aedec8acdb852bc6053e6d5524ee16ddd2a3bcba577
SHA512

27602b753a053cbf76381d67f8783a2d023377ff90861ba05e41b07515781ab462dcc4f4a0f97cf5f588f9748e12d105a2704f1b518c919b362c70c1c0f212e6
SSDEEP

49152:C9yRPSzWTkW94DLJLHrF1+DZSAuPgnbVSvq673eOQx39CxZbQyAf+3zK31xM2LQ+:MEKA4hrFifuPQSvqceBx3ADA4zK39E6F

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bfjwohe.com/search/?q=67e28dd86e58a42e450ca94d7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c642db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef610c6ed929838

http://bfjwohe.com/search/?q=67e28dd86e58a42e450ca94d7c27d78406abdd88be4b12eab517aa5c96bd86e893854d865a8bbc896c58e713bc90c91b36b5281fc235a925ed3e55d6bd974a95129070b611e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ef9c9b3dcf689415

Signatures

Detect Socks5Systemz Payload 5 IoCs

resource	yara_rule
behavioral2/memory/2340-68-0x00000000008B0000-0x0000000000952000-memory.dmp	family_socks5systemz
behavioral2/memory/2340-69-0x00000000008B0000-0x0000000000952000-memory.dmp	family_socks5systemz
behavioral2/memory/2340-79-0x00000000008B0000-0x0000000000952000-memory.dmp	family_socks5systemz
behavioral2/memory/2340-92-0x00000000008B0000-0x0000000000952000-memory.dmp	family_socks5systemz
behavioral2/memory/2340-93-0x00000000008B0000-0x0000000000952000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
864	february.tmp
2252	dvdmatedeluxe.exe
2340	dvdmatedeluxe.exe

Loads dropped DLL 1 IoCs

pid	Process
864	february.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
864	february.tmp
864	february.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
864	february.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 864	3644	february.exe	88
PID 3644 wrote to memory of 864	3644	february.exe	88
PID 3644 wrote to memory of 864	3644	february.exe	88
PID 864 wrote to memory of 2252	864	february.tmp	89
PID 864 wrote to memory of 2252	864	february.tmp	89
PID 864 wrote to memory of 2252	864	february.tmp	89
PID 864 wrote to memory of 2340	864	february.tmp	90
PID 864 wrote to memory of 2340	864	february.tmp	90
PID 864 wrote to memory of 2340	864	february.tmp	90

C:\Users\Admin\AppData\Local\Temp\february.exe
"C:\Users\Admin\AppData\Local\Temp\february.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\is-MOEOO.tmp\february.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MOEOO.tmp\february.tmp" /SL5="$A00FE,2327531,56832,C:\Users\Admin\AppData\Local\Temp\february.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe
    "C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe" -i
    3⤵
    - Executes dropped EXE
    PID:2252
- - C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe
    "C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe

Filesize
3.3MB

MD5
3f1cd6b5cc0a4f6ea79586e90f360ff6

SHA1
d75dcd1e4f9a26d302260c05291432f87783bece

SHA256
70597c9cb60e9607a3e2afdfce93f48e4c1f422fdb02a1b9a7563e2e57f810eb

SHA512
667fbc36b65d5fc8e3bfbd2cc6562ecd3444d3c5aa648951712d01674ecafce2c0359b0d5f10bc80febec4512fbecf529cd5a5603d2324bccc7028761cf1858b

Download Submit
C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe

Filesize
1.7MB

MD5
7a2dcccbdc2e48e3c7f58532284e8b38

SHA1
e09044386047dc3d8c208dc22e83cdfd4d3c87fe

SHA256
cbd57bf212127708797fe2437d8676b1a31a0c860ce16f9659d18a7cf28a43c6

SHA512
a55a3254b1ca1c9a247823eb472c6b60f5edc93ceac5729f33497246cf3a2fe6e6ce3d941a92bde48acd5836cbe8c4d6cebbe60cb476981beb388622682f994f

Download Submit
C:\Users\Admin\AppData\Local\DVD Mate Deluxe\dvdmatedeluxe.exe

Filesize
1.5MB

MD5
532159b5ccaec9c4506322a58f7e6650

SHA1
256614a0d67b013e0558ad072a979a908c547cf8

SHA256
fe67ace7bef9fbb334fb0039a151ff1190899941f85272bc456b598c670f47aa

SHA512
9a3e8650f97b59e943c013d2afb4684b1e3a14245d37b0cb4e2dd583482e8f4059c5f35d37420faaa40cf65870a5954bf731c0f03bd42c91bc00f9a05dd3032a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G67F6.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MOEOO.tmp\february.tmp

Filesize
690KB

MD5
2480eb0f56520aa86dabd22a9779abc2

SHA1
fb082129966ed798b7c811920023e9b2ca70df24

SHA256
74e34891cfab1568f0718dc15a0a6661ec6d3c93368a08538a1016943ad35d89

SHA512
4dda447b7d94a8c21af354e058f8346b0a4070dae72c13f8aa2b6d194c03c57e27a6c9c335ea5a28c69516c152804930839c4579a98c71d55cceb15c7daa1729

Download Submit
memory/864-48-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/864-50-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/864-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2252-37-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2252-38-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2252-39-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2252-42-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-53-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-68-0x00000000008B0000-0x0000000000952000-memory.dmp

Filesize
648KB

Download
memory/2340-100-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-44-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-49-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-97-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-93-0x00000000008B0000-0x0000000000952000-memory.dmp

Filesize
648KB

Download
memory/2340-54-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-55-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-58-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-61-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-64-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-67-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-46-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-69-0x00000000008B0000-0x0000000000952000-memory.dmp

Filesize
648KB

Download
memory/2340-75-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-78-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-79-0x00000000008B0000-0x0000000000952000-memory.dmp

Filesize
648KB

Download
memory/2340-82-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-85-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-88-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-91-0x0000000000400000-0x0000000000751000-memory.dmp

Filesize
3.3MB

Download
memory/2340-92-0x00000000008B0000-0x0000000000952000-memory.dmp

Filesize
648KB

Download
memory/3644-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3644-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3644-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing