MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855
SHA3-384 hash: 1ba8b0807c2fc404c83c75647e60456096cc87140802e8062e25560faf8f39be08ad1f938b6b6af55bf9697d9e1ed5a3
SHA1 hash: 52674452be84199f4f425e5d547afa2b843a9040
MD5 hash: 3578471cb7ce9d86cc7f92623d4cab94
humanhash: wisconsin-london-foxtrot-nine
File name:3578471cb7ce9d86cc7f92623d4cab94.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:844'736 bytes
First seen:2022-10-12 15:18:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 24576:2y4anp7t10hY2f7uYTDxGkZuRKHguDamR:FDpj0hY2zuLfRKAKao
TLSH T1EA0501D1DAD808DAFD7D633450BB0A9719B23CB74BB0056E618EF12548B3293467BE1E
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0f8f0f8f0f8f0f0 (2 x SystemBC)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319447/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62703672.7419.29869.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42717/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll anti-vm overlay packed rundll32.exe setupapi.dll shell32.dll systembc
Link:
https://www.filescan.io/uploads/6346dae7b5d1588e3cceede6/reports/9aa8f73a-8abc-4210-88a4-3e65c855def8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b61b59d7-adcb-4a97-8523-19cbd30182d9
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1088932
Signature
Creates processes via WMI
DLL reload attack detected
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Renames NTDLL to bypass HIPS
Sigma detected: Drops script at startup location
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 721534 Sample: J2UE5ESG5z.exe Startdate: 12/10/2022 Architecture: WINDOWS Score: 100 66 Malicious sample detected (through community Yara rule) 2->66 68 Yara detected SystemBC 2->68 70 Sigma detected: Drops script at startup location 2->70 72 Machine Learning detection for sample 2->72 10 J2UE5ESG5z.exe 1 5 2->10         started        12 wscript.exe 2->12         started        15 qvLDMLqSMQ.exe.com 2->15         started        17 3 other processes 2->17 process3 signatures4 19 cmd.exe 1 10->19         started        22 ftp.exe 1 10->22         started        94 Creates processes via WMI 12->94 process5 signatures6 74 Obfuscated command line found 19->74 76 Uses ping.exe to sleep 19->76 78 Drops PE files with a suspicious file extension 19->78 80 Uses ping.exe to check the status of other devices and networks 19->80 24 cmd.exe 2 19->24         started        28 conhost.exe 19->28         started        30 PING.EXE 1 19->30         started        32 conhost.exe 22->32         started        process7 file8 58 C:\Users\user\AppData\...\Darkness.exe.pif, PE32 24->58 dropped 90 Obfuscated command line found 24->90 92 Uses ping.exe to sleep 24->92 34 Darkness.exe.pif 5 24->34         started        39 tasklist.exe 1 24->39         started        41 tasklist.exe 1 24->41         started        43 4 other processes 24->43 signatures9 process10 dnsIp11 62 89.22.225.242, 4193, 49698 INETLTDTR Russian Federation 34->62 64 WQhwvmwnjqbKDG.WQhwvmwnjqbKDG 34->64 54 C:\Users\user\AppData\...\qvLDMLqSMQ.exe.com, PE32 34->54 dropped 56 C:\Users\user\AppData\Local\...\gCgmkZTFn.dll, PE32 34->56 dropped 82 DLL reload attack detected 34->82 84 Drops PE files with a suspicious file extension 34->84 86 Uses schtasks.exe or at.exe to add and modify task schedules 34->86 88 Renames NTDLL to bypass HIPS 34->88 45 cmd.exe 2 34->45         started        48 schtasks.exe 1 34->48         started        file12 signatures13 process14 file15 60 C:\Users\user\AppData\...\qvLDMLqSMQ.url, MS 45->60 dropped 50 conhost.exe 45->50         started        52 conhost.exe 48->52         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Suspicious
First seen:
2022-10-11 22:21:41 UTC
File Type:
PE (Exe)
Extracted files:
54
AV detection:
14 of 42 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hatqrfkxmqeed2yelwysyrquaftnttjietuc55tk6h55klzmpbkq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/221012-sp6k5shah8/
Behaviour
Creates scheduled task(s)
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/025f64ce-58e8-4e24-a999-c0fdf81a73bb
Unpacked files
SH256 hash:
1a2e8329a2f3255c06825aed711ae65ad476aef811b21737cbef1ccc451872aa
MD5 hash:
1dd1a9c59ff05cced864226e1d5e00bb
SHA1 hash:
528f9f4642c498c78d45f74b5e7712fca9eb1959
Link:
https://www.unpac.me/results/4280478f-b4a6-4b84-9f01-345bca6155d4/
SH256 hash:
3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855
MD5 hash:
3578471cb7ce9d86cc7f92623d4cab94
SHA1 hash:
52674452be84199f4f425e5d547afa2b843a9040
Link:
https://www.unpac.me/results/4280478f-b4a6-4b84-9f01-345bca6155d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 3827089557640841eb045db12c46140166d9cd2824e82ef66af1fbd52f2c7855

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2355193/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/319447/

Comments