socks5systemz | c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6

General

Target

c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe
Size

4.2MB
MD5

f9315da19f4066846e78838cf1768cb7
SHA1

bd8424086cb6d83d0bee950ca0e2a74c198e8870
SHA256

c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6
SHA512

43f3af9de33070fa03a0c119ad19a972956952905073c9372dc88e6be32f6e042b1cc13518ac8fdc03bf43f2f0d6da5c28fa6c179037fa2a07344660758cb078
SSDEEP

98304:+u2GOfCtgrcoDA+MHFZy049HHA0f0M6d7l1Zh3T73vHrnOqjd1Zt:BcfCJCKa04p4M6n1Zh3TXnOaXt

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bvilbzo.com/search/?q=67e28dd86c0ca77c400cfe4c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa44e8889b5e4fa9281ae978f271ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ffa13c1ed97923d

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4400-83-0x00000000007D0000-0x0000000000872000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp
820	auditorium32.exe
4400	auditorium32.exe

Loads dropped DLL 1 IoCs

pid	Process
4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4640	404	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe	75
PID 404 wrote to memory of 4640	404	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe	75
PID 404 wrote to memory of 4640	404	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe	75
PID 4640 wrote to memory of 820	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	76
PID 4640 wrote to memory of 820	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	76
PID 4640 wrote to memory of 820	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	76
PID 4640 wrote to memory of 4400	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	77
PID 4640 wrote to memory of 4400	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	77
PID 4640 wrote to memory of 4400	4640	c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp	77

C:\Users\Admin\AppData\Local\Temp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe
"C:\Users\Admin\AppData\Local\Temp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\is-61G83.tmp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-61G83.tmp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp" /SL5="$C01D2,4153722,54272,C:\Users\Admin\AppData\Local\Temp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Users\Admin\AppData\Local\Auditorium\auditorium32.exe
    "C:\Users\Admin\AppData\Local\Auditorium\auditorium32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:820
- - C:\Users\Admin\AppData\Local\Auditorium\auditorium32.exe
    "C:\Users\Admin\AppData\Local\Auditorium\auditorium32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Auditorium\auditorium32.exe

Filesize
2.1MB

MD5
949a5b0ab9f3297b03bdb7a2225e1925

SHA1
43f84593c41ea8632975fa44b693f1f6faf9a590

SHA256
faef547d3fe97dc31b5fc76743d6fd844f1163a71f65db918d0e5c2999b49220

SHA512
471cc2a48f2df523b9e261ca03559a3ff075a65e87a10f24faa87416bedf0e2bbf9a9532a2554655daac8e615c978666b303c39f9f28cf4ca8d82261ababcc1e

Download Submit
C:\Users\Admin\AppData\Local\Auditorium\libeay32.dll

Filesize
2.3MB

MD5
5afad5dd0bae7f01c2be79f9f168c9e8

SHA1
553fe32e9cc002b3357c11de74478b85b04657bc

SHA256
4c5c6debe9453f0343f163aa72b7049f3167bc08d3b2d549fcabc4ee6bfbafcd

SHA512
3f78196965db2fa5f6a13fecd9d93abbbaafaa52a6b43e8bd957d3b1e52bc3930db2d72e79cd34315f56b9758ed37a5d6b122533351d90296abfe8ca7f62fb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-61G83.tmp\c1665247f95fdcfb0db93a040416adb12885eef3f527b4d83142e0ea3e5b41a6.tmp

Filesize
695KB

MD5
a287ecffad7cec4fca751c14eb6a1e03

SHA1
b23ea238468f657f049e70067cfc75a22858c395

SHA256
9f31cf21012d515b2f351c0e69bf0b94954a9807a847c98388c3302320362948

SHA512
0669d5d06444a5a0c589f5fe85550efafbf96ff38ab1bbdd1b3a76408e79307c5af2cd266d403c41762d7b354efdf2bd6d29e02bb40c74e843716ca8ffe9a087

Download Submit
\Users\Admin\AppData\Local\Temp\is-KBSBM.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/404-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/404-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/404-68-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/820-59-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/820-60-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/820-63-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-79-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-111-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-131-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-70-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-73-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-76-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-126-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-82-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-83-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/4400-87-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-92-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-95-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-98-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-101-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-104-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-107-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-67-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-114-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-117-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-120-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4400-123-0x0000000000400000-0x0000000000621000-memory.dmp

Filesize
2.1MB

Download
memory/4640-10-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4640-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing