MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 048ff2c2d619d58ace213fe63487b76681ce386c0f234a04f1db5b36e96bf323. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 12

Intelligence 12 IOCs 2 YARA 3 File information Comments

SHA256 hash:	048ff2c2d619d58ace213fe63487b76681ce386c0f234a04f1db5b36e96bf323
SHA3-384 hash:	5f04d8080f68d2e46199e874e5a901033219b4fdd01be86e290e25c3665e498aaf21c192f9bb01ae2dd3b09e949828e5
SHA1 hash:	3dcd55f83f2daa5a98864cd8a309fdeac86d0076
MD5 hash:	522e941914f03a2a4192e63867a63cc1
humanhash:	comet-glucose-lima-beryllium
File name:	522e941914f03a2a4192e63867a63cc1.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	175'616 bytes
First seen:	2022-08-04 03:35:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3163d33b82cd41e2297204b52c1b86ec (1 x RedLineStealer, 1 x SystemBC)
ssdeep	3072:weLaX4BVLrmvpfSMk/rghk77ricmJHK4vZb7wD3u69XAyh0c7:LLaX4BVqVS5/rghjcmk4vSDebyy
Threatray	116 similar samples on MalwareBazaar
TLSH	T14104CF2277A1D832E4E75E30847087B25A3ABC626B74458B7B74F32E1E302D06A79757
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	38b078cccacccc43 (123 x Smoke Loader, 83 x Stop, 63 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe SystemBC

abuse_ch

SystemBC C2:
http://5.253.19.61/

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
http://5.253.19.61/	https://threatfox.abuse.ch/ioc/841344/
193.106.191.168:4244	https://threatfox.abuse.ch/ioc/841345/

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

522e941914f03a2a4192e63867a63cc1.exe

Verdict:

Malicious activity

Analysis date:

2022-08-04 03:36:50 UTC

Tags:

loader

Link:

https://app.any.run/tasks/d218fff5-76fe-4fd2-929b-eff022a6b33a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296351/

Detection(s):

Win.Malware.Pwsx-9958630-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62eb3f1e6336465f2a0d36df/reports/e772ace7-5f12-4436-94c8-d85948545c8a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Raccoon Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a8fc086-a9ad-4cab-bbcd-4966038984d7

Result

Threat name:

Raccoon Stealer v2

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1046044

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Yara detected Raccoon Stealer v2

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/048ff2c2d619d58ace213fe63487b76681ce386c0f234a04f1db5b36e96bf323/

Threat name:

Win32.Trojan.MintZard

Status:

Malicious

First seen:

2022-07-28 07:33:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

34 of 41 (82.93%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ash7fqwwdhkyvtrbh7tdjb5xm2a44odmb4ruubhr3nntn2ll6mrq._file

Verdict:

malicious

SystemBC

287dc092e02a5c76b02c4142357f6a4a5c9a420430b616a1d14dfe0266875ecd

SystemBC

4ef70b979f1256128e03458bca91eb840c141ca488d40249a79a7f5b41bb9115

SystemBC

a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e677e003d3adf74f4e9ec

SystemBC

b91e7fd40c84298ad53bae03f61d45d9e8ea323c6fecded7a4b98f53ebf36110

SystemBC

c84144dfbfc61aeea4cbaf014690a98fe1a55d863a5d4aa7786efc30613b7fe7

SystemBC

dfb7179c51b9565674e2561a4e703d90bc0e226173b7300f8a75cc825a67ac80

SystemBC

e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edfaea681a98abb04f92b6

SystemBC

e7924441cf355557372d5d058eeb30341f9bb4be80f54449ea66b288d183b928

SystemBC

+ 106 additional samples on MalwareBazaar

Result

Malware family:

raccoon

Score:

10/10

Tags:

family:raccoon botnet:0df3708d0f188d4791747b54c0e40631 stealer

Link:

https://tria.ge/reports/220804-d5w93sbebl/

Behaviour

Program crash

Raccoon

Raccoon Stealer payload

Malware Config

C2 Extraction:

http://5.253.19.61
http://5.253.19.133

Unpacked files

SH256 hash:

1300608302a9c99efab3a6f10b12b35c02661b21f08830839cf385efdc555d9c

MD5 hash:

80a58686be449db55f460f44ac31cd63

SHA1 hash:

ff416f5d0296908d3884c007adb902a17e1145bd

Link:

https://www.unpac.me/results/404f026e-8108-4afb-b244-91e8bf66400f/

SH256 hash:

048ff2c2d619d58ace213fe63487b76681ce386c0f234a04f1db5b36e96bf323

MD5 hash:

522e941914f03a2a4192e63867a63cc1

SHA1 hash:

3dcd55f83f2daa5a98864cd8a309fdeac86d0076

Link:

https://www.unpac.me/results/404f026e-8108-4afb-b244-91e8bf66400f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/048ff2c2d619d58ace213fe63487b76681ce386c0f234a04f1db5b36e96bf323

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	RaccoonV2 Create hunting rule
Author:	@_FirehaK <yara@firehak.com>
Description:	This rule detects Raccoon Stealer version 2.0 (called Recordbreaker before attribution). It has been spotted spreading through fake software cracks and keygens as far back as April 2022.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296351/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample