MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
SHA3-384 hash: b6e320556b2bf04b3afac26b3accb1dfe36a099dbe7b4f8b9df67851098bd9d236205b1b969c54f0081ba1f0936b919e
SHA1 hash: af506733441826dbd789c972a2d627038c0c80af
MD5 hash: cd48383befb4dce49fb855d64f500ca1
humanhash: sixteen-diet-fillet-rugby
File name:cd48383befb4dce49fb855d64f500ca1.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'288'416 bytes
First seen:2022-11-16 18:09:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 310638d36ec921f029e67a7144e7c280 (2 x ArkeiStealer, 2 x Smoke Loader, 2 x LgoogLoader)
ssdeep 24576:jolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FF:j0GL6YpZmSat5LWdNhF
TLSH T1605501FEE3D3196ED29653B35514E27288A5F5ECE0BD888BEE4C37A31E31A8C0855345
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon dcf2f0dcdcf2f2dc (1 x ArkeiStealer, 1 x SystemBC, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe signed SystemBC

Code Signing Certificate

Organisation:bustling В©inc.
Issuer:bustling В©inc.
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-16T09:18:51Z
Valid to:2023-11-16T09:38:51Z
Serial number: 6d06c7704c448f8a4b5ae8dde9265ded
Thumbprint Algorithm:SHA256
Thumbprint: 6d502310b8de6dfc75b3fa09f7cf44e3383fb62ade37d4716eaeca403e1e3189
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd48383befb4dce49fb855d64f500ca1.exe
Verdict:
Malicious activity
Analysis date:
2022-11-16 18:10:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f0bc0c0a-7c26-457e-b23b-f5a274ca7997

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/335008/
Detection(s):
SecuriteInfo.com.W32.Kryptik.HRAO.tr.15392.2902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
DNS request
Sending a custom TCP request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63752784f75d59fef0b9984d/reports/010548a0-8328-4e95-8d15-cbc008e58f92/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bfbf214a-eb5e-4a2b-ac52-9c036269a469
Result
Threat name:
SystemBC, Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1115138
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (creates a PE file in dynamic memory)
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SystemBC
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747838 Sample: gzEQevBvkb.exe Startdate: 16/11/2022 Architecture: WINDOWS Score: 100 70 www.imarket-eg.com 2->70 72 w8khzw03nc.xzxueyg2t 2->72 74 3 other IPs or domains 2->74 92 Malicious sample detected (through community Yara rule) 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 7 other signatures 2->98 10 gzEQevBvkb.exe 10 2->10         started        14 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 16 2->14         started        signatures3 process4 file5 56 fofew gequa botovi...w nexonide hete.exe, PE32 10->56 dropped 58 fofew gequa botovi...exe:Zone.Identifier, ASCII 10->58 dropped 100 Self deletion via cmd or bat file 10->100 102 Uses schtasks.exe or at.exe to add and modify task schedules 10->102 16 fofew gequa botovib moca loja faromemo sow nexonide hete.exe 18 10->16         started        21 cmd.exe 1 10->21         started        23 schtasks.exe 1 10->23         started        104 Writes to foreign memory regions 14->104 106 Allocates memory in foreign processes 14->106 108 Injects a PE file into a foreign processes 14->108 25 ngentask.exe 14->25         started        signatures6 process7 dnsIp8 68 imarket-eg.com 160.153.50.70, 443, 49935, 49936 AS-26496-GO-DADDY-COM-LLCUS United States 16->68 48 C:\Users\user\AppData\Local\...\svchost.exe, PE32 16->48 dropped 50 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 16->50 dropped 52 C:\Users\user\AppData\...\library[1].bin, PE32 16->52 dropped 54 C:\Users\user\AppData\...\resource[1].bin, PE32 16->54 dropped 84 Writes to foreign memory regions 16->84 86 Allocates memory in foreign processes 16->86 88 Injects a PE file into a foreign processes 16->88 27 svchost.exe 30 16->27         started        32 ngentask.exe 16->32         started        90 Uses ping.exe to check the status of other devices and networks 21->90 34 PING.EXE 1 21->34         started        36 conhost.exe 21->36         started        38 chcp.com 1 21->38         started        40 conhost.exe 23->40         started        file9 signatures10 process11 dnsIp12 76 116.202.3.228, 49943, 80 HETZNER-ASDE Germany 27->76 78 t.me 149.154.167.99, 443, 49942 TELEGRAMRU United Kingdom 27->78 60 C:\ProgramData\softokn3.dll, PE32 27->60 dropped 62 C:\ProgramData\nss3.dll, PE32 27->62 dropped 64 C:\ProgramData\mozglue.dll, PE32 27->64 dropped 66 3 other files (1 malicious) 27->66 dropped 110 Antivirus detection for dropped file 27->110 112 System process connects to network (likely due to code injection or exploit) 27->112 114 Detected unpacking (creates a PE file in dynamic memory) 27->114 116 4 other signatures 27->116 42 cmd.exe 1 27->42         started        80 89.22.225.242, 4193, 49940, 49941 INETLTDTR Russian Federation 32->80 82 127.0.0.1 unknown unknown 34->82 file13 signatures14 process15 process16 44 conhost.exe 42->44         started        46 timeout.exe 1 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-11-16 13:17:17 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
23 of 40 (57.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aqfkcuxhhgbgq5fcnd2p7of6qdosk3tyc7g3fqstfhjfuutem4pa._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/221116-wr35kscc65/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Malware Config
C2 Extraction:
89.22.225.242:4193
195.2.93.22:4193
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7216b559-a325-4a30-b51c-4965d8b557f4
Unpacked files
SH256 hash:
7826b01ed774dd9f24f016df9871bb4ed96a1ce92d4e0595f6a0f494533e609e
MD5 hash:
c2eb0d2e58b95582ab0a20156520d6a7
SHA1 hash:
b56597c87f894f050f5370a41e144cc7859ca3a6
Link:
https://www.unpac.me/results/9c585b8b-1b3a-4631-a7e2-efd427008b5f/
SH256 hash:
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
MD5 hash:
cd48383befb4dce49fb855d64f500ca1
SHA1 hash:
af506733441826dbd789c972a2d627038c0c80af
Link:
https://www.unpac.me/results/9c585b8b-1b3a-4631-a7e2-efd427008b5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/335008/
  
URLhaus
https://urlhaus.abuse.ch/url/2414298/
  
Delivery method
Distributed via web download

Comments