MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
SHA3-384 hash: d56d86fe54bf99d3147596aaebd046a54333e0e0995c44f91ebe8252e61e567b1e27770dd13cb732817d4cb84873d214
SHA1 hash: 88aa798e432a96967759571b3363827b261573a0
MD5 hash: 20878a60ab358f3ce3f3f15245ff85ee
humanhash: lima-helium-mike-thirteen
File name:20878a60ab358f3ce3f3f15245ff85ee
Download: download sample
Signature SystemBC
Create hunting rule
File size:4'427'776 bytes
First seen:2024-06-13 05:34:55 UTC
Last seen:2024-06-13 06:21:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:HHPePgIIJkIfv5gDowz2WWjEpJcvh+seQvc6Dybf0s1aHngP+KfN4ZKhEg7ZVz6q:
Threatray 1'856 similar samples on MalwareBazaar
TLSH T13F2619F4A1EB85D1F90BDDC469A8BE96023230B3CDC50C25632D7A084FFA9593A49D5F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
370
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203.exe
Verdict:
Malicious activity
Analysis date:
2024-06-13 05:37:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d37cbc8-8466-4086-99a3-6959f2d0b149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666a8538da262547655ec0d6win7simulatehigh_evasion
Tags:
Generic Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e62bb1f-75d3-4ce3-86a9-10917294aa72
Result
Threat name:
PureLog Stealer, SystemBC
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1456360
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Send many emails (e-Mail Spam)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1456360 Sample: TL6bE5Uq4y.exe Startdate: 13/06/2024 Architecture: WINDOWS Score: 100 41 ya.com 2->41 43 pec.it 2->43 45 426 other IPs or domains 2->45 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 12 other signatures 2->59 7 TL6bE5Uq4y.exe 1 5 2->7         started        11 Erddbfj.exe 3 2->11         started        13 atebcv.exe 3 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 35 C:\Users\user\AppData\Roamingrddbfj.exe, PE32 7->35 dropped 37 C:\Users\user\...rddbfj.exe:Zone.Identifier, ASCII 7->37 dropped 39 C:\Users\user\AppData\...\TL6bE5Uq4y.exe.log, ASCII 7->39 dropped 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->61 63 Tries to detect virtualization through RDTSC time measurements 7->63 17 TL6bE5Uq4y.exe 4 7->17         started        65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 20 Erddbfj.exe 11->20         started        22 atebcv.exe 13->22         started        25 Erddbfj.exe 15->25         started        signatures6 process7 dnsIp8 27 C:\ProgramData\lcsxp\atebcv.exe, PE32 17->27 dropped 29 C:\ProgramData\...\atebcv.exe:Zone.Identifier, ASCII 17->29 dropped 31 C:\ProgramData\vjejxvf\ohjwtp.exe, PE32 20->31 dropped 33 C:\ProgramData\...\ohjwtp.exe:Zone.Identifier, ASCII 20->33 dropped 47 claywyaeropumps.com 185.43.220.45, 4000, 49679, 49680 WIBO-ASLT Lithuania 22->47 49 69.7.80.87, 49193, 587 WCENTRALNUS United States 22->49 51 110 other IPs or domains 22->51 file9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2024-06-09 18:31:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bicftwkcpm37txkptq25bzh7vtwiuusfsg2y6uchxfkdyzpmyibq._file
Verdict:
malicious
Similar samples:
2a497d868db198a4c655016c3d9c1dacdd810e2aef8d8f15bf2051e15945e09d
SystemBC
31379f69c7607eb6dbbd2971652840fe8264f1a1dc00f08a564908efead38689
SystemBC
46d173aae9169713594b60432c48e12d02cbaf815a3a86531275a6712a82fab6
SystemBC
aeeafd1474a87877c7de2e5e1c0b8a249d84db170c44411531d77fc5c9c7d258
SystemBC
c1b13b5d0cfc0ecb0d05f8d95ccb316804135fc89d2ee7f9b87fa3f1dc86f155
SystemBC
cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
SystemBC
+ 1'846 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240613-f91jeazcpr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c0c45b6d-f246-417c-8f89-8749a2e59aad
Unpacked files
SH256 hash:
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
MD5 hash:
e7d405eec8052898f4d2b0440a6b72c9
SHA1 hash:
58cf7bfcec81faf744682f9479b905feed8e6e68
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g1
Create hunting rule
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
Parent samples :
789b70fa9df563a3023a89835ce3b9ef1329a477dbff67b3390b72db2b5b9557
aeeafd1474a87877c7de2e5e1c0b8a249d84db170c44411531d77fc5c9c7d258
cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
dc183f57a0679eb92ef393479dea0df619ddce3ff94051c84f8f1dba7de31d22
1354429a271a349329dbbfda561fe0eb43ae4005f5d3c4abdec9aef08cf23baf
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
SH256 hash:
0e3f1cfd530809e124a6c7bc93c647503f404e2181e41efa64c8563b94de12c8
MD5 hash:
1fd598c4c2a08868658b1b805485fc6c
SHA1 hash:
204af627a34422b1b704c235987cffe549f96487
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
SH256 hash:
67a8629dfcfdd2484e42bbcfbeba029fbf8f2eaab32f05a6c4c7254aeb67ee81
MD5 hash:
1ed56ac5a492e072020ab050b597f635
SHA1 hash:
043b06c0ecb036d3fbe2c6393742a9280c1e3e73
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
SH256 hash:
0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
MD5 hash:
20878a60ab358f3ce3f3f15245ff85ee
SHA1 hash:
88aa798e432a96967759571b3363827b261573a0
Link:
https://www.unpac.me/results/10c8319c-5529-403b-b31a-dc7f15c2974a/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2886029/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-06-13 05:34:56 UTC

url : hxxp://77.91.77.81/lend/realtekaft.exe