MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
SHA3-384 hash: 6e067d3485fcdb348506213ed33620b4594dd9c96e29bf50ce06840ce0ff241dde4b56996a1d77fdb1c6f311862d2409
SHA1 hash: db4add19b401d3f235ec0be832ac779282736adc
MD5 hash: 3decb23a2e0c58dd2a0ec542f954d705
humanhash: london-four-pip-winner
File name:3DECB23A2E0C58DD2A0EC542F954D705.dll
Download: download sample
Signature SystemBC
Create hunting rule
File size:16'896 bytes
First seen:2023-12-10 13:45:14 UTC
Last seen:2023-12-10 15:32:46 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ea47177789465ada573c717425469cd1 (3 x SystemBC)
ssdeep 192:DLiGhkfGBpFH+ZchZ1WW8B52daFX4/PqfZSCG0GIGdWoBrCKja1cqHH:a/fAeZchZwW42doxRZgWoBrdW1cq
Threatray 13 similar samples on MalwareBazaar
TLSH T16D72F6AA386085B5C21586B43E9F6761907D65724234A029EFE04F1C3F7DAA3E726F13
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:dll SystemBC


Avatar
abuse_ch
SystemBC C2:
82.147.85.189:4001

Intelligence

File Origin
# of uploads :
2
# of downloads :
317
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/464258/
Detection(s):
SecuriteInfo.com.BackDoor.Coroxy.19.14796.30049.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coroxy evasive greyware lolbin shell32 systembc zusy
Link:
https://www.filescan.io/uploads/6575c11ceba108031488b68a/reports/f2ee1c4e-d939-4782-bfe6-dd80a231dca9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/332a98a6-51ad-4f11-ae94-4fcfdadc9e7e
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1357317
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1357317 Sample: BYbM8g4YN1.dll Startdate: 10/12/2023 Architecture: WINDOWS Score: 100 23 Snort IDS alert for network traffic 2->23 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 6 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 conhost.exe 7->17         started        dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 21 82.147.85.189, 4001, 49704, 49705 SIBTEL-ASRU Russian Federation 12->21 19 rundll32.exe 15->19         started        signatures6 process7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce/
Threat name:
Win32.Trojan.SystemBC
Create hunting rule
Status:
Malicious
First seen:
2023-12-07 06:24:00 UTC
File Type:
PE (Dll)
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f3w3ux25xpxff7lo3s2qhhv5s3qyuzwxt5rc7j4uwaagdjaszpha._file
Verdict:
malicious
Similar samples:
2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
SystemBC
2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SystemBC
4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SystemBC
f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SystemBC
f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad
SystemBC
+ 3 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc
Link:
https://tria.ge/reports/231210-q2ypysfeg3/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
C2 Extraction:
82.147.85.189:4001
reserve-domain.com:4001
Unpacked files
SH256 hash:
2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
MD5 hash:
3decb23a2e0c58dd2a0ec542f954d705
SHA1 hash:
db4add19b401d3f235ec0be832ac779282736adc
Detections:
SystemBC
Create hunting rule
win_systembc_g0
Create hunting rule
EXT_MAL_SystemBC_Mar22_1
Create hunting rule
win_systembc_20220311
Create hunting rule
Link:
https://www.unpac.me/results/1d8dc73c-a8d4-4613-858c-eabbc66abe56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SystemBC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/464258/

Comments