MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357
SHA3-384 hash: 21b4163f7baca5e242d5f1fbcfd4a9967ea235c136dfb8bd64b28b47f298a69112e7a11b650c8d1f5e536d12e13f9905
SHA1 hash: ee0b1d0fe9fb24ccff75c934d5988fb0d2ff1a92
MD5 hash: ec7154a50488ecfd5936b6fd10e0a8e3
humanhash: lemon-floor-pip-mississippi
File name:ec7154a50488ecfd5936b6fd10e0a8e3
Download: download sample
Signature SystemBC
Create hunting rule
File size:7'168 bytes
First seen:2024-05-02 13:48:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a7f2be9d198a373f121c5bf0d47787e0 (1 x SystemBC)
ssdeep 96:1y1jUdvqRWXKB1Jww9uKT2MjQcHnjKVOIw+6dT8CKB8tBkLOq:gtKSREKB1aFKjKVV8ToUBk
Threatray 5 similar samples on MalwareBazaar
TLSH T116E1851B7A928075E7034ABA3D4F1390AAFFA5735274901D9BB24ED0F631DABCB0D109
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
371
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357.exe
Verdict:
Malicious activity
Analysis date:
2024-05-02 13:50:26 UTC
Tags:
botnet systembc proxy
Link:
https://app.any.run/tasks/3a1453f0-a351-4397-86fb-fc6baa4ad0f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BackDoor.Coroxy.23.30935.14510.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
coroxy
Link:
https://www.filescan.io/uploads/66339997de9c2e310308bb29/reports/b8993257-6fcb-47e0-9479-ddb60777c4ea/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8d422e6-bd64-4281-b482-1062ad616d3c
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1435363
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1435363 Sample: KhbShPK91I.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 60 37 Multi AV Scanner detection for submitted file 2->37 39 Suspicious powershell command line found 2->39 41 Machine Learning detection for sample 2->41 6 KhbShPK91I.exe 1 2->6         started        10 chrome.exe 9 2->10         started        12 powershell.exe 11 2->12         started        14 powershell.exe 12 2->14         started        process3 dnsIp4 29 193.233.132.56, 4341, 49705, 49722 FREE-NET-ASFREEnetEU Russian Federation 6->29 43 Creates autostart registry keys with suspicious values (likely registry only malware) 6->43 31 192.168.2.5, 4341, 443, 49703 unknown unknown 10->31 33 192.168.2.7 unknown unknown 10->33 35 239.255.255.250 unknown Reserved 10->35 16 chrome.exe 10->16         started        19 conhost.exe 12->19         started        21 KhbShPK91I.exe 12->21         started        23 conhost.exe 14->23         started        25 KhbShPK91I.exe 14->25         started        signatures5 process6 dnsIp7 27 www.google.com 142.251.40.196, 443, 49709, 49710 GOOGLEUS United States 16->27
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2024-05-02 02:16:11 UTC
File Type:
PE (Exe)
AV detection:
19 of 23 (82.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aujvunxd6nsxrjk6ygunby3crjhysev7hrs7qzoppe5vrwzh6nlq._file
Verdict:
malicious
Similar samples:
05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357
SystemBC
08cb1432c512df0370577dc50549ad06f729858143017fe00f79fcb218872d01
SystemBC
5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
SystemBC
97137acedba1ac921b69cc15d65e9c67edc13757f28874129744926c17c0230c
SystemBC
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc persistence
Link:
https://tria.ge/reports/240502-q35jwscc45/
Behaviour
Adds Run key to start application
Malware Config
C2 Extraction:
193.233.132.56:4341
193.233.132.139:4341
Unpacked files
SH256 hash:
05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357
MD5 hash:
ec7154a50488ecfd5936b6fd10e0a8e3
SHA1 hash:
ee0b1d0fe9fb24ccff75c934d5988fb0d2ff1a92
Link:
https://www.unpac.me/results/e63423b2-e086-419f-9e3d-373b8124bf31/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 05135a36e3f36578a55ec1a8d0e3628a4f8912bf3c65f865cf793b58db27f357

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2835537/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::GetVolumeInformationA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegSetValueExA
WIN_SOCK_APIUses Network to send and receive dataws2_32.dll::freeaddrinfo
ws2_32.dll::getaddrinfo
ws2_32.dll::WSAIoctl

Comments


Avatar
zbet commented on 2024-05-02 13:48:02 UTC

url : hxxp://193.233.132.56/cost/sok.exe