MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f4bef20f214d4f9b6a5f189201ee69ca330a91accbd8253a15676d86b1aa4c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f4bef20f214d4f9b6a5f189201ee69ca330a91accbd8253a15676d86b1aa4c2
SHA3-384 hash: 7c524ccf777ede1e97a7e7da59d933cd14f6a6434c1406f3e62560ddfe8eb73ccaee925b04d62fb8bfc481fc90ff9298
SHA1 hash: 464e836bcb524ee35fd3aa2c4f172ca91c487f70
MD5 hash: 11decf56a91f4ea86c6e6143c0aefbea
humanhash: equal-dakota-magnesium-foxtrot
File name:11decf56a91f4ea86c6e6143c0aefbea
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'437'840 bytes
First seen:2022-12-04 05:15:27 UTC
Last seen:2022-12-04 06:27:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ce034b939c6145516baadcd9b5d3871 (2 x RedLineStealer, 1 x SystemBC, 1 x ArkeiStealer)
ssdeep 24576:/1SRBEnakCK/z039wsIH5FOvQ2M9wiXjU14eU7WcGbCxKXVGuZO2:UjpkCC0twsIZFO4t9/Fe3FWkXVNO2
Threatray 7'203 similar samples on MalwareBazaar
TLSH T19365125CA7F2E536E08702711268B7B196F87D314BDBE24367847A661B783F84A71383
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 71f8dca4acdcf871 (2 x SystemBC, 2 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe signed SystemBC

Code Signing Certificate

Organisation:*.sartle.com
Issuer:Go Daddy Secure Certificate Authority - G2
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-21T05:30:29Z
Valid to:2023-03-25T05:30:29Z
Serial number: 4c49eeed4561ba2b
Intelligence: 12 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3f76b6e1222bf0e3c08f377a242425f8509fc2907b6255c2588c18c8ebb11944
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
11decf56a91f4ea86c6e6143c0aefbea
Verdict:
Malicious activity
Analysis date:
2022-12-04 05:18:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/14d7192b-f418-41d0-97ce-bbdfb42610f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/342439/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.3177.19742.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/638c2d27f6e448d42df73303/reports/8745ba11-9425-4b1b-a74b-ef38da2b9e92/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a8bf6fe7-4323-40ab-8ed3-38b44f657482
Result
Threat name:
RedLine, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1127321
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 760045 Sample: NhqwPW3V4T.exe Startdate: 04/12/2022 Architecture: WINDOWS Score: 100 47 xlsltz1mriaadriihye4txa74jgrmet.vfz7cyrgwzthlu 2->47 49 www.sealicensing.com 2->49 51 2 other IPs or domains 2->51 73 Snort IDS alert for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for URL or domain 2->77 79 8 other signatures 2->79 8 NhqwPW3V4T.exe 10 2->8         started        12 Wib cowa nedecok noqu leteri yahovab gohe lacibape.exe 12 2->12         started        signatures3 process4 file5 41 Wib cowa nedecok n...b gohe lacibape.exe, PE32 8->41 dropped 43 Wib cowa nedecok n...exe:Zone.Identifier, ASCII 8->43 dropped 81 Self deletion via cmd or bat file 8->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 8->83 14 Wib cowa nedecok noqu leteri yahovab gohe lacibape.exe 17 8->14         started        19 cmd.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        85 Writes to foreign memory regions 12->85 87 Allocates memory in foreign processes 12->87 89 Injects a PE file into a foreign processes 12->89 23 fontview.exe 2 12->23         started        25 ngentask.exe 12->25         started        signatures6 process7 dnsIp8 59 sealicensing.com 198.23.62.100, 443, 49854, 49855 STEADFASTUS United States 14->59 45 C:\Users\user\AppData\Local\...\advapi32.dll, PE32 14->45 dropped 61 Writes to foreign memory regions 14->61 63 Allocates memory in foreign processes 14->63 65 Injects a PE file into a foreign processes 14->65 27 fontview.exe 15 5 14->27         started        31 ngentask.exe 14->31         started        67 Uses ping.exe to check the status of other devices and networks 19->67 33 PING.EXE 1 19->33         started        35 conhost.exe 19->35         started        37 chcp.com 1 19->37         started        39 conhost.exe 21->39         started        69 Tries to harvest and steal browser information (history, passwords, etc) 23->69 71 Tries to steal Crypto Currency Wallets 23->71 file9 signatures10 process11 dnsIp12 53 109.206.243.58, 49859, 49860, 81 AWMLTNL Germany 27->53 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 27->91 93 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->93 55 89.22.236.225, 4193, 49857, 49858 INETLTDTR Russian Federation 31->55 57 127.0.0.1 unknown unknown 33->57 signatures13
Gathering data
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-12-04 01:57:34 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5f66ihsctkptnvf6gesahxgtsrtbki2zs6yeu5bkz3nq2y2utba._file
Verdict:
unknown
Similar samples:
1dba6c2eac5a66888ace7afc220555ef5e5473144907ac791951121bf69bbc56
SystemBC
1fc21092d07c3282874666c87ee38a4e8208d914fcc464de48ce16d7d99cff90
SystemBC
4a050efd33ee11894f0345c5d051d9584c7402c0da2ffc65e63a087c2c3403c6
SystemBC
4b3b8c9037168a82409fbe027ecf77ba5b1b9262960b07dde8e15acfb1e3a5df
SystemBC
a292516f372faa805520fe555f7b63ef08a9317bb04697b58c356a6bb12908f2
SystemBC
b0a8c058c8b913e2f67b40e4606c5dd913c858854f3dd77f7e82a4066ecc293d
SystemBC
cb5e0fe4cb4e9950b51042471b67b3bf9f8dcba4f201b1053ba69cb1ac9b54b2
SystemBC
d0f04ffd3bcc777fb35f20205e6b8f599a5ac4e9287d321d08190e4cc2dc97c9
SystemBC
+ 7'193 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221204-fyb2nseb4y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b7469cda-dac3-43fe-8de7-d3d5210232d3
Unpacked files
SH256 hash:
ba58c0264475763b81dc1e164927eeb910832eb37492e9ba5afdda1eb6fed216
MD5 hash:
39a92bd2aa10269a697d83a62d229d3b
SHA1 hash:
82b7765c6030bf0e9e933cd9b494ced939085c8f
Link:
https://www.unpac.me/results/cdba5025-cd12-47e6-93ff-870e495d5988/
SH256 hash:
0f4bef20f214d4f9b6a5f189201ee69ca330a91accbd8253a15676d86b1aa4c2
MD5 hash:
11decf56a91f4ea86c6e6143c0aefbea
SHA1 hash:
464e836bcb524ee35fd3aa2c4f172ca91c487f70
Link:
https://www.unpac.me/results/cdba5025-cd12-47e6-93ff-870e495d5988/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f4bef20f214d4f9b6a5f189201ee69ca330a91accbd8253a15676d86b1aa4c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 0f4bef20f214d4f9b6a5f189201ee69ca330a91accbd8253a15676d86b1aa4c2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2440637/
  
URLhaus
https://urlhaus.abuse.ch/url/2443525/
Cape
Cape
https://www.capesandbox.com/analysis/342439/

Comments


Avatar
zbet commented on 2022-12-04 05:15:34 UTC

url : hxxp://mrfreeman.xyz/DgxuGixWrsAdtx/wevtutil.exe