MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SHA3-384 hash: 07961c6ac59252650467f29b2bcae02be677b784fc3e6ef5c4fb9486f50e776d64c665bf852b6b410df5d3f12b05faeb
SHA1 hash: dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
MD5 hash: cac81707eba1be452f548e410275a0ac
humanhash: king-timing-hot-red
File name:wizard.cpl
Download: download sample
Signature SystemBC
Create hunting rule
File size:16'896 bytes
First seen:2023-11-16 08:41:42 UTC
Last seen:2023-11-16 10:22:08 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ea47177789465ada573c717425469cd1 (3 x SystemBC)
ssdeep 192:RniGhkfGBpFH+Z0hZ1WW8B52daFX4/PqfZSCG0GGGdWoBrSKja1cDHs:Y/fAeZ0hZwW42doxR3gWoBrtW1c
Threatray 7 similar samples on MalwareBazaar
TLSH T12672F7AA386081B5C21586B43E9F6761907D65724234A029EFE04F1C3F7DAA3E726F13
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:agenziaentrate cpl dll SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
391
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/458808/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.18913.19314.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive greyware lolbin masquerade shell32 systembc
Link:
https://www.filescan.io/uploads/6555d5dd18918145a815b2ec/reports/25c65d77-72fd-48da-852b-88e8ee884007/overview
Verdict:
Malicious
Labled as:
Backdoo.0548B77E
Link:
https://www.hybrid-analysis.com/sample/2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/390afe96-4784-4453-b1fa-7e042eaf0f83
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1343483
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1343483 Sample: wizard.cpl.dll Startdate: 16/11/2023 Architecture: WINDOWS Score: 88 23 Snort IDS alert for network traffic 2->23 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 3 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 conhost.exe 7->13         started        process5 15 rundll32.exe 9->15         started        dnsIp6 19 62.173.140.37, 4001, 49729, 49730 SPACENET-ASInternetServiceProviderRU Russian Federation 15->19 21 System process connects to network (likely due to code injection or exploit) 15->21 signatures7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
Detection:
systembc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2023-11-16 08:39:59 UTC
File Type:
PE (Dll)
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4ja2olpoh7zvw4p4epqwuu6rxpkqnkyg7mvl7wyhoyk4krv32ca._file
Verdict:
malicious
Similar samples:
2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SystemBC
68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c
SystemBC
f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SystemBC
f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad
SystemBC
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc
Link:
https://tria.ge/reports/231116-kl1aysha73/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
C2 Extraction:
62.173.140.37:4001
Unpacked files
SH256 hash:
2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
MD5 hash:
cac81707eba1be452f548e410275a0ac
SHA1 hash:
dd4b3bbd8bf357bbdeeb593e94ff0bf9b5ae19f2
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g0
Create hunting rule
EXT_MAL_SystemBC_Mar22_1
Create hunting rule
win_systembc_20220311
Create hunting rule
Link:
https://www.unpac.me/results/9def2f60-ca7e-4e3a-beeb-440486000568/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SystemBC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/458808/

Comments