socks5systemz | cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1

General

Target

cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe
Size

4.2MB
MD5

a6c09deec506d071cec0878397a20d48
SHA1

6ac287f90b4372615f1c0c7287acdc8eec796c0c
SHA256

cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1
SHA512

7db70ec5775c77e43713cc83eae19bc0b678f4ab724afa536d0032e6433f77942271c0e325fd098366707815f83eb0d6f3dcde9f0f8d5c5c262a47237cecee77
SSDEEP

98304:iEEUwKP/axciBQq5gBd7mMVnMNlNtZkGOLKnsoaLPM0je3HEv0C:/0KP/altgBoMhu3iLKsor3kv0C

Score

10^/10

socks5systemz botnet discovery

Malware Config

Extracted

Family

socks5systemz

C2

aabowdj.ru

http://aabowdj.ru/search/?q=67e28dd83a09f729130ead4a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978a271ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608afd13c8e99d9933

Signatures

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4472-90-0x00000000023C0000-0x0000000002462000-memory.dmp	family_socks5systemz

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Socks5systemz family
socks5systemz

Executes dropped EXE 3 IoCs

pid	Process
2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp
5688	keratodjprof.exe
4472	keratodjprof.exe

Loads dropped DLL 1 IoCs

pid	Process
2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	flow	ioc	pid	Process
Destination IP	39	152.89.198.214	4472	keratodjprof.exe
Destination IP	41	152.89.198.214	4472	keratodjprof.exe
Destination IP	42	91.211.247.248	4472	keratodjprof.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keratodjprof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keratodjprof.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 2928	4964	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe	86
PID 4964 wrote to memory of 2928	4964	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe	86
PID 4964 wrote to memory of 2928	4964	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe	86
PID 2928 wrote to memory of 5688	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	90
PID 2928 wrote to memory of 5688	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	90
PID 2928 wrote to memory of 5688	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	90
PID 2928 wrote to memory of 4472	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	91
PID 2928 wrote to memory of 4472	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	91
PID 2928 wrote to memory of 4472	2928	cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp	91

C:\Users\Admin\AppData\Local\Temp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe
"C:\Users\Admin\AppData\Local\Temp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\is-73S24.tmp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-73S24.tmp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp" /SL5="$401FC,4160040,54272,C:\Users\Admin\AppData\Local\Temp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe
    "C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5688
- - C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe
    "C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe" -s
    3⤵
    - Executes dropped EXE
    - Unexpected DNS network traffic destination
    - System Location Discovery: System Language Discovery
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kerato DJ Prof\keratodjprof.exe

Filesize
1.8MB

MD5
d87478eeb44b63e227ed0a759f73ed4c

SHA1
58f70107aec799691b181428636f50d19b9d4a89

SHA256
576137c7ed86d2708c4aedd57aedd7c8c3a60936ed0b01daf07fdb5bbd81a1ab

SHA512
833fa3378e6825b3ee67de5ca03801f073bb418555f308607eabd3ea66d7984df0c45d08bafd028d666d8c85ca2e5c5671eef236ec4563561c7633abc36c9cae

Download Submit
C:\Users\Admin\AppData\Local\Kerato DJ Prof\libeay32.dll

Filesize
1.9MB

MD5
876a839023b8f962a72d295da7495734

SHA1
62a7728679bc18784b1fbf1d013f7cece18cbec9

SHA256
a757d773da406411fb977761f6e56f016d48d224aedaf3d875ed4d4a9ede6158

SHA512
e1b23a2f5ec0100ff874ca075bbd0f90e9065a90fec66861f99df603d7aaa9db8e8ec326710fdc11ad41d01befe4ea3077136127acf613614d0d12ff23bec6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2SO94.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-73S24.tmp\cab641cc941789b948c84f354c83a67b9684ecaee4ffad7981316931ffb903c1.tmp

Filesize
696KB

MD5
fec9d8acbaa0eace3c2dd59416e5acda

SHA1
fb8de46a2b17c1da5e5fd4ccdbd3b36bd322d400

SHA256
01b4c22916a7b7711ddee720eb7804d26a92a3652d7afc5af57788cbedc5aa04

SHA512
f3a0a5ea3bb01cf67fc749642d66a9c2d9a41efed14b1ea82137a3185419d7738357eecc72dea68bb92d33223501e96d2d35090cc538768967eeeb07ea8bf39f

Download Submit
memory/2928-70-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2928-10-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4472-102-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-90-0x00000000023C0000-0x0000000002462000-memory.dmp

Filesize
648KB

Download
memory/4472-133-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-130-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-127-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-69-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-124-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-121-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-73-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-74-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-77-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-80-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-83-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-86-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-89-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-117-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-96-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-99-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-114-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-105-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-108-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4472-111-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4964-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4964-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4964-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/5688-60-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/5688-65-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/5688-59-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/5688-63-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing