MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
SHA3-384 hash: 9e225980dffaf9ed286c611f693368746290970d718a6c40f47dcaaa6595fd684bc34ef65f70d1e4bbd43055972a2b11
SHA1 hash: ef0692e35a6d55aff3814ebe4e40fc231a24873e
MD5 hash: 457c9934ea081a6594d8f630ef5a9460
humanhash: carpet-alpha-colorado-burger
File name:19b7183a3eed215c98ce35ac4168917345ef97c104b0c.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'614'920 bytes
First seen:2022-10-23 07:41:58 UTC
Last seen:2022-10-23 09:05:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 190a1b1daf046902810c60fa939c46e7 (1 x SystemBC)
ssdeep 49152:eu6Ke6SaJJpwOoqKnM4aRKlIYqCYpP2cq0:reb4J+Oo7nhaRKOYqTOD0
Threatray 233 similar samples on MalwareBazaar
TLSH T1D4751204BFA1A87EC88B5AB528CCF33A757CEC1567421583179837A34F767E04A7A187
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6484a242491c4e16 (1 x SystemBC)
Reporter abuse_ch
Tags:exe signed SystemBC

Code Signing Certificate

Organisation:*.oneroute.microsoft.com
Issuer:Microsoft Azure TLS Issuing CA 06
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-15T21:32:21Z
Valid to:2023-09-10T21:32:21Z
Serial number: 330051b67a1d4ac04509ce93bf00000051b67a
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a811b2f5323fa3e4fddf3d2d7270f1eec6bef6737e99839f0af2cef8d08845e6
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
SystemBC C2:
89.22.225.242:4193

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
89.22.225.242:4193 https://threatfox.abuse.ch/ioc/851923/

Intelligence

File Origin
# of uploads :
2
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19b7183a3eed215c98ce35ac4168917345ef97c104b0c.exe
Verdict:
Malicious activity
Analysis date:
2022-10-23 07:42:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7801b3a8-aace-4e44-b448-9b3492168718

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322892/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.62418.19710.15337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/44637/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
CheckCmdLine
EvasionGetTickCount
GetTempPath
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6354f04c339362a6061b4f20/reports/1f0cd2b3-40f1-4103-a3da-44a6baea5857/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ddc89fcf-9e33-4be6-956c-2ec494f94a09
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1095799
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 11:47:03 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dg3rqor65uqvzggogwwec2eronc67f6basymlj7kioiz6ckkhpbq._file
Verdict:
malicious
Similar samples:
19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
SystemBC
43036d7ee14ac6bb29c0067fa0d6b497ed09cbd6862a8e8d0d8e54b18f6bbe8c
SystemBC
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470
SystemBC
8e83317b3259203394616c5ea47f4907c9680af69e34c0242af1052230c1e295
SystemBC
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
SystemBC
ab971c45e2e31f860ac74d476aee2aeb850a5f4130ca12c6c8110e8c4621aca9
SystemBC
+ 223 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/221023-jjpk1ahbd2/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
SystemBC
Malware Config
C2 Extraction:
89.22.225.242:4193
195.2.93.22:4193
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fde7952d-fe03-48d0-93e5-cdd4c5a1aea2
Unpacked files
SH256 hash:
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
MD5 hash:
ad72822c0c72a676edae67f14716da34
SHA1 hash:
ee4464fea8e4a5459c7ae964c8f6fc51203e76ce
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/e59d8238-9e0d-441a-a715-9ce65fd31d95/
Parent samples :
19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708
SH256 hash:
02e5631e5ecf457a5849b7cfe399f8afa61e03c5042caa731f3a52a85b2ec020
MD5 hash:
5f4cf0f6b06ab4a818a25e440f0b103e
SHA1 hash:
71c42353cabb286d8ae8422bd6897cd2a58efa81
Link:
https://www.unpac.me/results/e59d8238-9e0d-441a-a715-9ce65fd31d95/
SH256 hash:
19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
MD5 hash:
457c9934ea081a6594d8f630ef5a9460
SHA1 hash:
ef0692e35a6d55aff3814ebe4e40fc231a24873e
Link:
https://www.unpac.me/results/e59d8238-9e0d-441a-a715-9ce65fd31d95/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/322892/
  
URLhaus
https://urlhaus.abuse.ch/url/2381943/
  
Delivery method
Distributed via web download

Comments