MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836
SHA3-384 hash: 0fd007e355bd92da8a4fdd5407bce2a93a642d68e1d15e5af3abc15099cf071a9fae62bc0a5f3fe93e9da9265b363b14
SHA1 hash: 1adfccb7ffac098bc85bbc2317a12cf448631590
MD5 hash: b4b0494e2a1154bc4e4c3936bccaf278
humanhash: juliet-finch-freddie-charlie
File name:2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836
Download: download sample
Signature SystemBC
Create hunting rule
File size:274'432 bytes
First seen:2022-11-03 06:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf0c7df0c054c291d79bd1c72984352c (12 x SystemBC)
ssdeep 3072:Aad5up8lhAfuC55rfcvMCsJnbl3T0KX+fSM/h3BsxkgaBChURb:HhhWum3T0RSniga
Threatray 224 similar samples on MalwareBazaar
TLSH T1CC44BF36B590D560F0910E38BA2ADFA015BFBCF39938555AF7907B0E3A31792A61134F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836
Verdict:
Malicious activity
Analysis date:
2022-11-03 06:05:51 UTC
Tags:
systembc
Link:
https://app.any.run/tasks/7f9af0b3-e14a-4c83-a55a-b244477165b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327619/
Detection(s):
Win.Packed.Tofsee-9951336-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47794/overview
Behaviour
MalwareBazaar
CallSleep
CheckCmdLine
WindowsNumberSmall
CheckMutex
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware hacktool overlay shell32.dll
Link:
https://www.filescan.io/uploads/6363595f73a0205b3f77881a/reports/77ac6b1b-af92-4dc4-b226-c45569e0b46e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28ae5858-d500-4c56-9135-0e881804c3c7
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1104059
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 11:41:17 UTC
File Type:
PE (Exe)
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fotcahuxhihhzfceeym6uadofzjyuel5jsm2tbxeb334hdbjna3a._file
Verdict:
malicious
Similar samples:
318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd
SystemBC
3f97d3a159c05ed13798178c697514769201a1484922b09fdd7d8e00517aa861
SystemBC
7880b2cd5384bf7c1c094d871947504df1eef7f29befa93fec72bbafc4fa8fa8
SystemBC
7b8b1ed75224573e0ede38e9c7fc5b9bf5b46dba275b5e3d23f94acd4b1a7a11
SystemBC
94a24841df9e30fab797665446d3ebbf9af6c8157a99d4c3f7afbe64d58777c6
SystemBC
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SystemBC
e7174b9891b41bf0459fd6fe3f6ab5c63aa5ab4883b02d32325dd19f6d1ed71f
SystemBC
e86c00bb96428b8c113169da2c996f457ed22467c5ad998e87bb48b65e98ab36
SystemBC
f0562d49226fc4776a7991b14f43b2c7a572ae276adef3d3dc3678b8b0894401
SystemBC
f8079d9eb143214a50b52500677a1f20cba2817178e2a8a40d4fb184f5d3ab3f
SystemBC
+ 214 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/221103-grfxqafad3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Executes dropped EXE
SystemBC
Malware Config
C2 Extraction:
146.70.101.95:4001
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0c0cc147-85e7-4322-aff9-f234f870ace9
Unpacked files
SH256 hash:
2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836
MD5 hash:
b4b0494e2a1154bc4e4c3936bccaf278
SHA1 hash:
1adfccb7ffac098bc85bbc2317a12cf448631590
Detections:
SystemBC
Create hunting rule
win_systembc_g0
Create hunting rule
Link:
https://www.unpac.me/results/ce48aff9-712e-4756-85f7-5951dae2e48d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:MiniTor
Create hunting rule
Author:@bartblaze
Description:Identifies MiniTor implementation as seen in SystemBC and Parallax RAT.
Reference:https://news.sophos.com/en-us/2020/12/16/systembc/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/327619/

Comments