socks5systemz | f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0

General

Target

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe
Size

3.6MB
MD5

3e7eb4bc28a82c80ec0ee6dee1bcacba
SHA1

a0f35dac1db294e2e98489b724123ca3b230eb75
SHA256

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0
SHA512

187584a9d7aed755438d84cdf3c6421ad227db13a6ec530fb35568188b38307fffbdb7d9af14aab373906cec17794f6eb9e549c102157a23b6c389b30c4d430d
SSDEEP

98304:Ny2hw2wywnhOiA6Uaz5YA8jli3jdE/ZdcZGlJ8Kc/IVK:Uawfh5USjjdE/TcUlJ9UL

Score

10^/10

socks5systemz botnet discovery

Malware Config

Signatures

Detect Socks5Systemz Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2820-80-0x00000000023E0000-0x0000000002482000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 2 IoCs

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmpxlgear3.exe

pid	Process
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2820	xlgear3.exe

Loads dropped DLL 6 IoCs

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exef8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmpxlgear3.exe

pid	Process
2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2820	xlgear3.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmpnet.exenet1.exexlgear3.exef8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xlgear3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp

pid	Process
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp

pid	Process
2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exef8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmpnet.exe

description	pid	Process	procid_target
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2124 wrote to memory of 2096	2124	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe	30
PID 2096 wrote to memory of 2748	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	31
PID 2096 wrote to memory of 2748	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	31
PID 2096 wrote to memory of 2748	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	31
PID 2096 wrote to memory of 2748	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	31
PID 2096 wrote to memory of 2820	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	33
PID 2096 wrote to memory of 2820	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	33
PID 2096 wrote to memory of 2820	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	33
PID 2096 wrote to memory of 2820	2096	f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp	33
PID 2748 wrote to memory of 2948	2748	net.exe	34
PID 2748 wrote to memory of 2948	2748	net.exe	34
PID 2748 wrote to memory of 2948	2748	net.exe	34
PID 2748 wrote to memory of 2948	2748	net.exe	34

C:\Users\Admin\AppData\Local\Temp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe
"C:\Users\Admin\AppData\Local\Temp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\is-ESB1J.tmp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ESB1J.tmp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp" /SL5="$C0150,3494790,54272,C:\Users\Admin\AppData\Local\Temp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" pause xl_gear_11292
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 pause xl_gear_11292
      4⤵
      System Location Discovery: System Language Discovery
      PID:2948
- - C:\Users\Admin\AppData\Local\XLGear 3.0.3.267\xlgear3.exe
    "C:\Users\Admin\AppData\Local\XLGear 3.0.3.267\xlgear3.exe" -i
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XLGear 3.0.3.267\xlgear3.exe

Filesize
3.2MB

MD5
ba0a9e9114bf466e6652b640f3e005d0

SHA1
0458d51f5fca6836be5e0c6dfdfaa31204dd6137

SHA256
2e2307b90e62c4da246ae3b5de9de8c52b52aa0c4de46677c12a4db2b7e789c7

SHA512
934af85cdb0f3d69d19267dd1378ddc1609f714b38855499b92ac782f7d865f816b62720d64f05f2b93dc3e6d74c5a2d71b2a3281511214ca083aae2a7815712

Download Submit
\Users\Admin\AppData\Local\Temp\is-ESB1J.tmp\f8cb920f9d119192a5cfa2c207dc91a8b8878072682722901e1d6739ce8aa8e0.tmp

Filesize
687KB

MD5
48afe95587667696e4d8242a5db77277

SHA1
272468b1b7a2bc8ccb8325e4fc21962281401f43

SHA256
6156372ac8623e153d6085d0793c478ab6ddf65168abbdca8c6ee182495cca18

SHA512
527839fca325c31f847761d6911f4cf1930053b342a6e66a59144b6d15ab1f530c1d3c13973c3cb1697cb7f222efc2ab0a447d776f6387860ea27eb1b0afd802

Download Submit
\Users\Admin\AppData\Local\Temp\is-J9KQN.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-J9KQN.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\XLGear 3.0.3.267\sqlite3.dll

Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
memory/2096-54-0x00000000057A0000-0x0000000005ACE000-memory.dmp

Filesize
3.2MB

Download
memory/2096-8-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2096-46-0x00000000057A0000-0x0000000005ACE000-memory.dmp

Filesize
3.2MB

Download
memory/2096-53-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2124-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2124-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2124-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2820-59-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-80-0x00000000023E0000-0x0000000002482000-memory.dmp

Filesize
648KB

Download
memory/2820-47-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-58-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2820-62-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-66-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-70-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-74-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-78-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-49-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-86-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-90-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-94-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-98-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-102-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-106-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-110-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download
memory/2820-114-0x0000000000400000-0x000000000072E000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads