MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
SHA3-384 hash: 84d16c6d519b21d3b8111aea2550dd10fd28c2b40d61568e27d6e4318b4e69c4a677926be7fe3cc3c6961a63e7b1258d
SHA1 hash: 9f0b6da7824c11e18bfc67fef016dc4c6d034c6e
MD5 hash: 8aaa63d32bc201244a89f771d37c5523
humanhash: stream-washington-princess-earth
File name:8aaa63d32bc201244a89f771d37c5523.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:8'586'320 bytes
First seen:2022-11-15 11:21:30 UTC
Last seen:2022-11-15 13:54:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8765459ecb275a89f3fa3dba64bddf7c (1 x SystemBC, 1 x ArkeiStealer)
ssdeep 98304:0nf7Zg7kBIjYXCz76QOph+F7ccTDhUCuEw3YtVD8flWyK40uLlcKLh+5D:U0jrf6QOph+LsyTyKruJV0D
Threatray 15'424 similar samples on MalwareBazaar
TLSH T16786C0B57349F0CFC18AF974A80BDE43D17803B2A318A415E8AD7C7C9E93D813697A95
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00c6d0a0d8c2cc00 (1 x SystemBC)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
vidar
Create hunting rule
ID:
1
File name:
8322e07c26f7c6e100e5b2be34080db4.exe
Verdict:
Malicious activity
Analysis date:
2022-11-14 19:13:27 UTC
Tags:
trojan stealer vidar loader
Link:
https://app.any.run/tasks/d84b2a45-e526-47f7-bae2-805d7d1b35b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334191/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.18584.2755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a file
Sending a custom TCP request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6373766107c3f5e84a013faa/reports/7d93290f-e4a9-465d-8aa6-372bf988122e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/02d3683f-9139-41ec-b926-c9392f4fa2b7
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
evad.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1114362
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files in the system32 config directory
Found hidden mapped module (file has been removed from disk)
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries disk data (e.g. SMART data)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 747055 Sample: lVMxof38tX.exe Startdate: 15/11/2022 Architecture: WINDOWS Score: 100 60 bing.aksaradata.web.id 2->60 78 Multi AV Scanner detection for domain / URL 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 84 11 other signatures 2->84 8 lVMxof38tX.exe 5 2->8         started        12 nkva.exe 3 2->12         started        14 hiwolos febocisi moq kadi.exe 12 2->14         started        16 7 other processes 2->16 signatures3 process4 file5 50 C:\Users\...\hiwolos febocisi moq kadi.exe, PE32 8->50 dropped 52 hiwolos febocisi m...exe:Zone.Identifier, ASCII 8->52 dropped 86 Query firmware table information (likely to detect VMs) 8->86 88 Self deletion via cmd or bat file 8->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 8->90 92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 8->92 18 hiwolos febocisi moq kadi.exe 12 8->18         started        21 cmd.exe 1 8->21         started        23 schtasks.exe 1 8->23         started        54 C:\Windows\Temp\xlngptzm.tmp, PE32+ 12->54 dropped 56 C:\Windows\System32\...\nvdrivesllapi.exe, PE32+ 12->56 dropped 94 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->94 96 Creates files in the system32 config directory 12->96 98 Writes to foreign memory regions 12->98 106 3 other signatures 12->106 100 Allocates memory in foreign processes 14->100 108 3 other signatures 14->108 25 InstallUtil.exe 2 14->25         started        102 Uses cmd line tools excessively to alter registry or file data 16->102 104 Uses powercfg.exe to modify the power settings 16->104 110 2 other signatures 16->110 28 conhost.exe 16->28         started        30 conhost.exe 16->30         started        32 sc.exe 16->32         started        34 27 other processes 16->34 signatures6 process7 file8 68 Query firmware table information (likely to detect VMs) 18->68 70 Writes to foreign memory regions 18->70 72 Allocates memory in foreign processes 18->72 76 4 other signatures 18->76 36 InstallUtil.exe 2 18->36         started        74 Uses ping.exe to check the status of other devices and networks 21->74 40 PING.EXE 1 21->40         started        42 conhost.exe 21->42         started        44 chcp.com 1 21->44         started        46 conhost.exe 23->46         started        58 C:\Users\user\AppData\Local\Temp\bwrl.exe, PE32+ 25->58 dropped signatures9 process10 dnsIp11 62 31.42.177.59, 49845, 49846, 80 YANINA-ASUA Ukraine 36->62 64 89.22.225.242, 4193, 49843, 49844 INETLTDTR Russian Federation 36->64 48 C:\Users\user\AppData\Local\Temp\nkva.exe, PE32+ 36->48 dropped 66 127.0.0.1 unknown unknown 40->66 file12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736/
Threat name:
Win32.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-13 09:36:35 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 25 (76.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g42vqx73h3c5asj3hy7eimr6zoppchdy7dgnuvxc3bwafiid643a._file
Verdict:
malicious
Similar samples:
067d79883c880e8d3a0c77d0f211abe52991e00aff3489cd04c5b5180125fb65
SystemBC
245df5e6eb13e960dc2cd57d5ee69c8cee7bd93edc1733cfec479711dac7c777
SystemBC
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
SystemBC
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
SystemBC
a484a486e4ccce5d89bed7fd21d3aef4802a85b3147a0445ccca16b3df95267a
SystemBC
b65b0ae08a0b84525ce65ea6ffa9f3cd3a0523b506135dacb1711b034bfb6f44
SystemBC
d36d4465c570673839d1139e66b284072a9d9f88ea7e2733c1751bd77e9afb2c
SystemBC
e21d4e0b2f711e72b6251d1a0a5f1a703baffb7c7ddd1d1b087bc9068f17aaa8
SystemBC
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
SystemBC
+ 15'414 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
bootkit evasion persistence trojan
Link:
https://tria.ge/reports/221115-ngkw9ahd4t/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08777659-34f6-42d4-b716-1b0d9ce635a0
Unpacked files
SH256 hash:
57076fb9ef3723b7b4bafc050272aafcfaf4a24b43d8e5cc19b94a7c69fe53af
MD5 hash:
b66225b882f8cbe1c334dd7b20771a5e
SHA1 hash:
f8768769e56186acf03be56e09fb72e9afacd654
Link:
https://www.unpac.me/results/a0ec97e6-21a3-4ed8-a3f4-93594f963c48/
SH256 hash:
3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736
MD5 hash:
8aaa63d32bc201244a89f771d37c5523
SHA1 hash:
9f0b6da7824c11e18bfc67fef016dc4c6d034c6e
Link:
https://www.unpac.me/results/a0ec97e6-21a3-4ed8-a3f4-93594f963c48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 3735585ffb3ec5d0493b3e3e44323ecb9ef11c78f8ccda56e2d86c02a103f736

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2412741/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334191/

Comments