socks5systemz | b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2 | Triage

Submit
Reports

Overview

overview

Static

static

3

6706ad721d...on.exe

windows7-x64

6706ad721d...on.exe

windows10-1703-x64

6706ad721d...on.exe

windows10-2004-x64

6706ad721d...on.exe

windows11-21h2-x64

Sharing

General

Target

6706ad721d914_JuidePorison.exe
Size

8.6MB
Sample

241011-zqhzsstbpe
MD5

54e6bcf9be550a5b8e5cd7b83318942d
SHA1

0c9084c04d5dd833867a60376c0809e8276fd869
SHA256

b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
SHA512

afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f
SSDEEP

196608:CkQm7e7eIqv9n2vYLIRQ6SSQCpX67SfUDTsmpfCcXe+8BvSk:CkQm7e7eIqvF2vRCApXVwTsmpfCcL8g

Score

10^/10

socks5systemz stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default default7_doz botnet credential_access discovery execution spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6706ad721d914_JuidePorison.exe

Resource

win7-20240903-en

stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default credential_access discovery execution spyware stealer

windows7-x64

27 signatures

150 seconds

Behavioral task

behavioral2

Sample

6706ad721d914_JuidePorison.exe

Resource

win10-20240404-en

socks5systemz stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default default7_doz botnet credential_access discovery execution spyware stealer

windows10-1703-x64

31 signatures

150 seconds

Behavioral task

behavioral3

Sample

6706ad721d914_JuidePorison.exe

Resource

win10v2004-20241007-en

stealc default7_doz discovery spyware stealer

windows10-2004-x64

10 signatures

150 seconds

Behavioral task

behavioral4

Sample

6706ad721d914_JuidePorison.exe

Resource

win11-20241007-en

stealc default7_doz discovery execution spyware stealer

windows11-21h2-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

stealc

Botnet

default

C2

http://194.246.83.76

Attributes

url_path
/a238cad009777d38.php

Extracted

Family

vidar

Version

11.1

Botnet

b3f4e62dbdd6721134cbcb95ba248e90

C2

https://steamcommunity.com/profiles/76561199786602107

https://t.me/lpnjoke

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

stealc

Botnet

default7_doz

C2

http://62.204.41.176

Attributes

url_path
/edd20096ecef326d.php

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://my.cloudme.com/v1/ws2/:usefullbox/:real/real.txt

Targets

- Target
  
  6706ad721d914_JuidePorison.exe
- Size
  
  8.6MB
- MD5
  
  54e6bcf9be550a5b8e5cd7b83318942d
- SHA1
  
  0c9084c04d5dd833867a60376c0809e8276fd869
- SHA256
  
  b5eaf10fcee125295402478e086f6e3c441024daec47dde0170ba528525f1eb2
- SHA512
  
  afed87e898d00a146c42f4c81b86fe5c243c205fabb3296d757915bc427bfa8fe91d7cad48a4d36f427168b90011d8ce05e8b3003ccf47f0a3e3ab5151eefd1f
- SSDEEP
  
  196608:CkQm7e7eIqv9n2vYLIRQ6SSQCpX67SfUDTsmpfCcXe+8BvSk:CkQm7e7eIqvF2vRCApXVwTsmpfCcL8g
Score

10^/10

stealc vidar b3f4e62dbdd6721134cbcb95ba248e90 default credential_access discovery execution spyware stealer socks5systemz default7_doz botnet
- Detect Socks5Systemz Payload
- Detect Vidar Stealer
  stealer
- Socks5Systemz
  Socks5Systemz is a botnet written in C++.
  botnet socks5systemz
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

stealcvidarb3f4e62dbdd6721134cbcb95ba248e90defaultcredential_accessdiscoveryexecutionspywarestealer

behavioral2

socks5systemzstealcvidarb3f4e62dbdd6721134cbcb95ba248e90defaultdefault7_dozbotnetcredential_accessdiscoveryexecutionspywarestealer

behavioral3

stealcdefault7_dozdiscoveryspywarestealer

behavioral4

stealcdefault7_dozdiscoveryexecutionspywarestealer

© 2018-2025

Terms | Privacy