socks5systemz | eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833

General

Target

eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe
Size

4.5MB
MD5

1d184788f71f4d9176501cd50c353e2f
SHA1

74abf131b968b7a9716652ce36d5cc894f5c208c
SHA256

eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833
SHA512

9f5cdd5e951af65ce3ef49321c41b15647081a2c75412f38b5d76b4d2792ccb77de6af1099da767408a4515608e1bd067fde2545d5dd15fe1b2d68f09e8f698c
SSDEEP

98304:AYdXsIEgtBRkix1oycRv9gpptVIkLh2/++K0jJ7JCthJSV7v7:Pdc5gHobR9eptKkI/++PDShJS9v7

Score

10^/10

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2488-87-0x00000000024A0000-0x0000000002542000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp
3472	radiobuster32.exe
2488	radiobuster32.exe

Loads dropped DLL 1 IoCs

pid	Process
228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 228	3544	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe	89
PID 3544 wrote to memory of 228	3544	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe	89
PID 3544 wrote to memory of 228	3544	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe	89
PID 228 wrote to memory of 3472	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	93
PID 228 wrote to memory of 3472	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	93
PID 228 wrote to memory of 3472	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	93
PID 228 wrote to memory of 2488	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	94
PID 228 wrote to memory of 2488	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	94
PID 228 wrote to memory of 2488	228	eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp	94

C:\Users\Admin\AppData\Local\Temp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe
"C:\Users\Admin\AppData\Local\Temp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\AppData\Local\Temp\is-Q78FQ.tmp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q78FQ.tmp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp" /SL5="$B0048,4411461,54272,C:\Users\Admin\AppData\Local\Temp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Users\Admin\AppData\Local\Radio Buster\radiobuster32.exe
    "C:\Users\Admin\AppData\Local\Radio Buster\radiobuster32.exe" -i
    3⤵
    - Executes dropped EXE
    PID:3472
- - C:\Users\Admin\AppData\Local\Radio Buster\radiobuster32.exe
    "C:\Users\Admin\AppData\Local\Radio Buster\radiobuster32.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Radio Buster\libeay32.dll

Filesize
1.9MB

MD5
876a839023b8f962a72d295da7495734

SHA1
62a7728679bc18784b1fbf1d013f7cece18cbec9

SHA256
a757d773da406411fb977761f6e56f016d48d224aedaf3d875ed4d4a9ede6158

SHA512
e1b23a2f5ec0100ff874ca075bbd0f90e9065a90fec66861f99df603d7aaa9db8e8ec326710fdc11ad41d01befe4ea3077136127acf613614d0d12ff23bec6c1

Download Submit
C:\Users\Admin\AppData\Local\Radio Buster\radiobuster32.exe

Filesize
2.5MB

MD5
a4877c7c81a42b7ceb140033944fb580

SHA1
227bf6786f9e79dd08639d790f56c21c5dd3c593

SHA256
e30118e12c1d3d42e6a47f7f253ea62ffcd8ac099b9b1b0ff1c1a9e573bd7a29

SHA512
fca6b48487c0e32bd0737a77d16242cdcd0cb785c8cb658b6b16cd8a7933dbc45f16ba2498922e3c911891d312489af01c2d37b75981f052f85726bc79e4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4AGQD.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q78FQ.tmp\eb7c25eacb194ab5b2cbc396775db46312b2681c50928300f0dc433e4e4df833.tmp

Filesize
696KB

MD5
0fbd91399a4476ef767a6d203be9af3f

SHA1
175c645348c6a6b03cdf4e14bbb73dc522864a78

SHA256
213d474063fb52c18c5b0b40bfc1884a3fc8f6b76c71a994c3da56e1be60dbd1

SHA512
457b7c9d50a96572339061e6aa35ee7ad2663b38d423499bc606b92eb427315788ac5ae69b046beed0acdfb05bad9eff91bec0564b3ccd5245522d966aec2f91

Download Submit
memory/228-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/228-16-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2488-90-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-95-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-116-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-113-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-110-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-68-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-107-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-104-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-71-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-74-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-75-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-78-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-81-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-84-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-87-0x00000000024A0000-0x0000000002542000-memory.dmp

Filesize
648KB

Download
memory/2488-101-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/2488-98-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/3472-60-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/3472-64-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/3472-59-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/3472-61-0x0000000000400000-0x000000000067E000-memory.dmp

Filesize
2.5MB

Download
memory/3544-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3544-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/3544-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing