socks5systemz | 7fcf9da4f0365c791ee2e24a2cdf92f2a42c130ea851380096c267a98e77d791

General

Target

5a0091e55a8dde139614c4fe106a6ce1.exe
Size

4.2MB
MD5

5a0091e55a8dde139614c4fe106a6ce1
SHA1

cf965423ca85bb3862c62bd0712d2ead032208fd
SHA256

7fcf9da4f0365c791ee2e24a2cdf92f2a42c130ea851380096c267a98e77d791
SHA512

e78dece9d1a75ee5f2767b2739e1ed24c85fa775615393b51e14c39012fa86b7472b185ded1a740604f5d970ed3fb01cfb3cd4a8a3c36f5f2b1af282976003a0
SSDEEP

98304:sy3FP4P0AHs4AKN4tAT7xdfFG1acTWRYch5fye0xcxLdsV8vSt:syKP0t4AKNwAT1DGnWi8wpxArv6

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

http://bvuqwya.com/search/?q=67e28dd86d0ca420440ef91f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa49e8889b5e4fa9281ae978f671ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffa15c1eb979f3b

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2488-86-0x0000000002820000-0x00000000028C2000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
4556	5a0091e55a8dde139614c4fe106a6ce1.tmp
1664	mixerfreeedition.exe
2488	mixerfreeedition.exe

Loads dropped DLL 1 IoCs

pid	Process
4556	5a0091e55a8dde139614c4fe106a6ce1.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4556	4536	5a0091e55a8dde139614c4fe106a6ce1.exe	81
PID 4536 wrote to memory of 4556	4536	5a0091e55a8dde139614c4fe106a6ce1.exe	81
PID 4536 wrote to memory of 4556	4536	5a0091e55a8dde139614c4fe106a6ce1.exe	81
PID 4556 wrote to memory of 1664	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	85
PID 4556 wrote to memory of 1664	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	85
PID 4556 wrote to memory of 1664	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	85
PID 4556 wrote to memory of 2488	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	86
PID 4556 wrote to memory of 2488	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	86
PID 4556 wrote to memory of 2488	4556	5a0091e55a8dde139614c4fe106a6ce1.tmp	86

C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe
"C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Users\Admin\AppData\Local\Temp\is-NR3A1.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NR3A1.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp" /SL5="$701E8,4101844,54272,C:\Users\Admin\AppData\Local\Temp\5a0091e55a8dde139614c4fe106a6ce1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe
    "C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mixer Free Edition\libeay32.dll

Filesize
1.9MB

MD5
5fbd844a6ce26deb5337e8e6dd7c7b70

SHA1
5302e49b2027a07c7bb8f95d45510efc0d954cf8

SHA256
f0d640c4e07c81c29f0ec2b603ec3017bdd4db0d0e26c3fa364a6bbf45826058

SHA512
c383b5ec9fb9efd53cdf00c2b0940fe60a35a857f8be40ae0763647c3523712553910aca8504768cc86895b2168525fa6043d567e66e0ed5696e2c8e5e7b992d

Download Submit
C:\Users\Admin\AppData\Local\Mixer Free Edition\mixerfreeedition.exe

Filesize
1.7MB

MD5
a8114231cdb1fa3459a12f7f95b73993

SHA1
c6f060c139b46da8e51e1143433abc4c2f4c453f

SHA256
71551da3bacea0190f4be447bd00cc91d59cb7f62ea02f67e3541924588411fe

SHA512
88a7ed2a5c770f178bfde5836698f3b5055415c6b2bf7daf17f892a2c669bc3cde56d0f10fe8417c5093dc6fd5197792d280f39d4d7deceabf52ae863734bc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3M3L1.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NR3A1.tmp\5a0091e55a8dde139614c4fe106a6ce1.tmp

Filesize
696KB

MD5
c6061f804038f66af0cbf28c43abf849

SHA1
0473fc63f6514857bba850ce50206fbe8c992b64

SHA256
6261d17d1ab1744496c0f2988954989398d6829f2417df5420ffdf6d64f8678e

SHA512
edf27bfeec82752b6d52a8eb68853dde5d5effd9c3a8c1c93e181167d8bc5ae2c6d7b19ac74955c91aa4e90913fb7dcc8439d33a5e0c8aac5fe71c914596e0ae

Download Submit
memory/1664-62-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/1664-64-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/1664-59-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/1664-60-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-71-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-103-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-68-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-115-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-112-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-109-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-106-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-74-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-77-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-80-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-83-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-86-0x0000000002820000-0x00000000028C2000-memory.dmp

Filesize
648KB

Download
memory/2488-89-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-94-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-97-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/2488-100-0x0000000000400000-0x00000000005C3000-memory.dmp

Filesize
1.8MB

Download
memory/4536-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4536-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4536-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/4556-13-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4556-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download

Analysis

Sharing