socks5systemz | 659240bbe35456b042af8a30ef5c786b65ed084de60d7a9ad0a286f6eba884a0

General

Target

SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe
Size

2.0MB
MD5

e771b3e8f5d1edff5abfff3baf6e712b
SHA1

02c048112d45716ff703207d041ddebcd7d961d1
SHA256

659240bbe35456b042af8a30ef5c786b65ed084de60d7a9ad0a286f6eba884a0
SHA512

7c0a7d288ea558e30d0ca7b61566b37247d29be60e211be157b7a4b33e42461f46b982423d54fa11a13717df5be8f063ca51a627813f79afa1a478b40d8d4bfb
SSDEEP

49152:C9r4Y1ZSgPogEV+goIDOxkaliEiDmBctvRnw2Ihi9rdE67kW5X:Mr4gcfdDOTvBCpmgRT

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bdefbee.com/search/?q=67e28dd86f5af1211209a81b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978f071ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef619c4e9919b3f

Signatures

Detect Socks5Systemz Payload 6 IoCs

resource	yara_rule
behavioral2/memory/3788-69-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz
behavioral2/memory/3788-66-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz
behavioral2/memory/3788-78-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz
behavioral2/memory/3788-97-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz
behavioral2/memory/3788-98-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz
behavioral2/memory/3788-99-0x00000000008D0000-0x0000000000973000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp
3612	cruisemailer.exe
3788	cruisemailer.exe

Loads dropped DLL 1 IoCs

pid	Process
2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp
2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 2832	4804	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe	88
PID 4804 wrote to memory of 2832	4804	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe	88
PID 4804 wrote to memory of 2832	4804	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe	88
PID 2832 wrote to memory of 3612	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	91
PID 2832 wrote to memory of 3612	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	91
PID 2832 wrote to memory of 3612	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	91
PID 2832 wrote to memory of 3788	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	92
PID 2832 wrote to memory of 3788	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	92
PID 2832 wrote to memory of 3788	2832	SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp	92

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\is-DR265.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DR265.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp" /SL5="$70116,1682330,56832,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
    "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3612
- - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
    "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
1.3MB

MD5
6928edb959dd84babf7a4df114a737cf

SHA1
19ca6bd8a0ceeea9c0c4ed47d40541fab21b22d7

SHA256
7228afd3092ce3be10d381d1e47ad9eabf1fadf250a1904be22c69a202544cbd

SHA512
2e57319eff87f21dfbe2e00241c297831b62ad287b168d75b95d4526e022eac881aedb4452b2e5e07da9e7587753c6e588fae65c75928488bd579d8ed3d362fc

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
398KB

MD5
f0dd7562ffe04198d2c8bc18da903a53

SHA1
be2241868d71077aab8821aede02f65e65dcc28f

SHA256
ceeb1d13d4f40aa4d56fae579f1c5bbeab3a4c29754dd18fffe78e4a860b2b91

SHA512
24b0cefea0f54de2c83b29696f45bef219f33fe0b2dc319cd0e17bc45effb0c2c94bbb9dcf0a11d2c6ce6f78b7632838c83661d9300d8d1967379158e5361e11

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
15KB

MD5
fa8926617444f7f8a2860cde1aa4b3c2

SHA1
eff833350c284996b954488c5d1f2952ddc5b0b7

SHA256
b18ecc842c8cf1608824451c4f9c88f7c6a5991de797347eb83cf42f87c57c2c

SHA512
bcc7a545f842a79411e4ce7b53814ffb543d107f3673649b75425e335f26e627a0457117682473c430e8d0b3046fe70b9d4b5b13189ad64de23819f564f0ded8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DR265.tmp\SecuriteInfo.com.Trojan.Win32.Crypt.32471.3146.tmp

Filesize
690KB

MD5
87041e1189809c2e27890dcacfb5f12b

SHA1
0692e4718bfbadd453ed7d7e2b1337993ad97ba5

SHA256
447741a1ef3c1892a69ca7375da921ba39cabcb225cf82e26d5af69d54864086

SHA512
705abf93f24423ef3b12f4a677509ffe14ab4deea6974e56cd59ceaf9bdb8483f2ee393d0a33f8828240227b2c847d45d5153cf3663b14de4bf1826b743f8013

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KRJ80.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/2832-48-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2832-50-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/2832-7-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3612-37-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3612-38-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3612-41-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3612-42-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-53-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-66-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-99-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-45-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-49-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-98-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-97-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-54-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-57-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-60-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-63-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-67-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-69-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-46-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-74-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-77-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-78-0x00000000008D0000-0x0000000000973000-memory.dmp

Filesize
652KB

Download
memory/3788-81-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-84-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-87-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-90-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-93-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/3788-96-0x0000000000400000-0x00000000005D1000-memory.dmp

Filesize
1.8MB

Download
memory/4804-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4804-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing