socks5systemz | bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27

General

Target

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe
Size

4.4MB
MD5

5b16619b3b35341918d658ce2aa8c2b5
SHA1

17b5642fdd851cade939d743748179f5f80cbc83
SHA256

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27
SHA512

a5775f3ca64f594db2dd98d0881f3f7dd72049edd320d499b471b30d817f65159af86bea1923d86821b80b76cd47f0d245c225b556583f7481634b88c705d8ad
SSDEEP

98304:m4wBmwG8fGIGKIU6bMjY9jlUXOvyfTVZ9rko:fKImIU6eYLUrVko

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

bubsudj.com

http://bubsudj.com/search/?q=67e28dd8655bf57a4609f84c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa48e8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa11a366c350adb719a9577e55b8603e983a608ff718c2ea959b32

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4652-81-0x00000000008C0000-0x0000000000962000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Executes dropped EXE 3 IoCs

Processes:

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmpfanplayercloudfree.exefanplayercloudfree.exe

pid process

1096 bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
1704 fanplayercloudfree.exe
4652 fanplayercloudfree.exe
Loads dropped DLL 1 IoCs

Processes:

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

pid process

1096 bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 152.89.198.214
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

pid process

1096 bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

pid	process
1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
1704	fanplayercloudfree.exe
4652	fanplayercloudfree.exe

pid	process
1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

description	ioc
Destination IP	152.89.198.214

pid	process
1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exebb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

description	pid	process	target process
PID 4920 wrote to memory of 1096	4920	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
PID 4920 wrote to memory of 1096	4920	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
PID 4920 wrote to memory of 1096	4920	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
PID 1096 wrote to memory of 1704	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe
PID 1096 wrote to memory of 1704	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe
PID 1096 wrote to memory of 1704	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe
PID 1096 wrote to memory of 4652	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe
PID 1096 wrote to memory of 4652	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe
PID 1096 wrote to memory of 4652	1096	bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp	fanplayercloudfree.exe

C:\Users\Admin\AppData\Local\Temp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe
"C:\Users\Admin\AppData\Local\Temp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\is-N7DLD.tmp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N7DLD.tmp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp" /SL5="$A0084,4381089,54272,C:\Users\Admin\AppData\Local\Temp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\fanplayercloudfree.exe
"C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\fanplayercloudfree.exe" -i
3⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\fanplayercloudfree.exe
"C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\fanplayercloudfree.exe" -s
3⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FanPlayer Cloud Free\fanplayercloudfree.exe

Filesize
2.3MB

MD5
cb6634b29a8e16c9f459a5b469c280b0

SHA1
0ba0d5dadbf249dff8b3da81281f1bd2b59af5dc

SHA256
7468ef7c78dcbd5d23534f6f4db6f5717c6ae8319bcab6675c9173316e72b859

SHA512
176758e486c43c119cec057a058687bbeee4ec2778f94f6015d8641ee35b5781474132d973c0a370a3fa1327c01a6c9b70971a35f3ac6cc2b0b92c995a4ee134

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N7DLD.tmp\bb3095d5b8b59d58ff10d4202d77713c9e76e78a048fc378b4c1aed9e3e1ab27.tmp

Filesize
680KB

MD5
2154bbdc6c2dbb50a3cb91c53dfe890c

SHA1
7dc893259f9ff4792ae127ae06bd231638464001

SHA256
e5259ed1134d255d778da9b2748841a47e6dc6949f6e3e6dc53f0ed114ea20d4

SHA512
4bbb22ef4d80c5b0df178da5d1794ed7f7909cc2abdc511314d3c1d9e8a412fbddf7407536d1d98affc16d089cbcb15b3e8f8c264f99607c554e1627beaea45f

Download Submit
\Users\Admin\AppData\Local\Temp\is-QOREA.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/1096-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1096-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1704-63-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1704-59-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1704-61-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-77-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-109-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-129-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-68-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-71-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-74-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-124-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-80-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-81-0x00000000008C0000-0x0000000000962000-memory.dmp

Filesize
648KB

Download
memory/4652-85-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-90-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-93-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-96-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-99-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-102-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-105-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-121-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-112-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-115-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4652-118-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/4920-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4920-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4920-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing