MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74
SHA3-384 hash: 7ec1d38af3b0f819c8f5c363966fc321dd08d856347771314f79613f97e2a32a3f3f14fa9daa8fb09657c25f0a37cd06
SHA1 hash: 3502862e8ef4edd8ff5a427849d8c9f38e45160d
MD5 hash: c96012bf82cc15058dd53887b068bbd8
humanhash: high-floor-pluto-berlin
File name:c96012bf82cc15058dd53887b068bbd8.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:273'920 bytes
First seen:2020-12-14 08:13:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bb3def65fa06d508af5290223321feb0 (1 x SystemBC)
ssdeep 3072:w3d7X7Z5yrvc1CYy6FK5bbXH2QPuofXzh78j7PTiCN0t+iO:aLPyICYy6mH2QP5t78Liw0t+1
TLSH 4244BF2135A0CCF2C4A605344465DBA06AFAB83517759AF7376C6B7E2F343C12AFE246
Reporter abuse_ch
Tags:exe SystemBC


Avatar
abuse_ch
SystemBC payload URL:
http://lmdhtdserv985.xyz/atxzx111.exe

SystemBC C2:
gentexman37.xyz:4044 (5.199.174.179)

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c96012bf82cc15058dd53887b068bbd8.exe
Verdict:
Malicious activity
Analysis date:
2020-12-14 08:18:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b603941e-f050-4973-9bb6-eb66a63de9d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107940/
Detection(s):
Win.Dropper.Glupteba-9789578-0
Create hunting rule

Win.Malware.Glupteba-9790171-0
Create hunting rule

Win.Dropper.Glupteba-9792183-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/561889
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-12-10 03:25:31 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2qqdnnbgq3n2z7cwm6cvo5optoynj7nsuiylimrjqjgquzzvv2a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/201214-72qzpyctx2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Looks up external IP address via web service
Executes dropped EXE
Unpacked files
SH256 hash:
60fef0b74db9562cfb9a906716975a8534d97b493911a939a40b69b1969ca0d3
MD5 hash:
e07af3db58067875967cf8817ab08378
SHA1 hash:
2a72e308dbf6a68f9d19013ee0f55d7183a9d3ff
Detections:
win_systembc_g0
Create hunting rule
win_systembc_auto
Create hunting rule
Link:
https://www.unpac.me/results/7f7cd04e-967e-4453-bffd-9dbfb4ce5e04/
Parent samples :
d0c19e8c1317c52d421450e5605061b620d2b301d8e1a9811db6615c4d56b89f
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
d896fea673941330bf9b4aca5ad7bd1b5e12d3768bfaea9521c843ac1324c629
36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
SH256 hash:
36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74
MD5 hash:
c96012bf82cc15058dd53887b068bbd8
SHA1 hash:
3502862e8ef4edd8ff5a427849d8c9f38e45160d
Link:
https://www.unpac.me/results/7f7cd04e-967e-4453-bffd-9dbfb4ce5e04/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/917421/
Cape
Cape
https://www.capesandbox.com/analysis/107940/

Comments