MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c
SHA3-384 hash: fd9b1b62ffa723baf64f24aace9302d4022a8f49dbc8635d85daf02df7348997031fa886ba27542b76a19557ca1ea903
SHA1 hash: e7f2fb2ebdcd1f416422ecfc9a2e3bdf4dc2e845
MD5 hash: e28bb0c12be9480d98e49fce8cced7b6
humanhash: white-dakota-river-nevada
File name:e28bb0c12be9480d98e49fce8cced7b6
Download: download sample
Signature SystemBC
Create hunting rule
File size:287'744 bytes
First seen:2023-06-19 09:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 493c0587242c6f974644a1959b9764db (2 x GCleaner, 1 x SystemBC, 1 x Smoke Loader)
ssdeep 3072:d5lYIMAbKnUtNBizA3DAbxk57Ei3LSmPI0DnMOC4YMA5ydszTgXl:2IMVUtrrl7BDnMf4HA0
Threatray 4 similar samples on MalwareBazaar
TLSH T120545B9392E17C65ED264B729E1FC6F87A1EF5504F497BA712089A1F04B31B2E133B12
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8888488000808000 (1 x SystemBC)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
298
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e28bb0c12be9480d98e49fce8cced7b6
Verdict:
No threats detected
Analysis date:
2023-06-19 09:53:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/253ec487-30ad-4338-8e3f-e0b2ba1e98ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/400363/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/91529/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coroxy greyware packed
Link:
https://www.filescan.io/uploads/6490250710461c2d676a64e8/reports/6e3377fe-4e38-432a-bb81-d4083d1ddd2e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b7015a29-77fe-43ce-98be-cf44f948a5b6
Result
Threat name:
SmokeLoader, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1257258
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected SmokeLoader
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890274 Sample: 81w4TySydA.exe Startdate: 19/06/2023 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 7 other signatures 2->44 6 81w4TySydA.exe 1 2 2->6         started        11 fsdarv.exe 2->11         started        13 powershell.exe 11 2->13         started        15 powershell.exe 12 2->15         started        process3 dnsIp4 30 admlogs25.xyz 159.253.18.136, 49699, 80 PAGM-ASEE Estonia 6->30 32 admex1955x.xyz 5.45.127.115, 4044, 49692 PAGM-ASEE Estonia 6->32 28 C:\Users\user\AppData\Local\Temp\fsdarv.exe, PE32 6->28 dropped 46 Detected unpacking (changes PE section rights) 6->46 48 Detected unpacking (overwrites its own PE header) 6->48 50 Found evasive API chain (may stop execution after checking mutex) 6->50 60 3 other signatures 6->60 52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 56 Contains functionality to inject code into remote processes 11->56 58 Injects a PE file into a foreign processes 11->58 17 fsdarv.exe 11->17         started        20 conhost.exe 13->20         started        22 81w4TySydA.exe 13->22         started        24 conhost.exe 15->24         started        26 81w4TySydA.exe 15->26         started        file5 signatures6 process7 signatures8 34 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->34 36 Checks if the current machine is a virtual machine (disk enumeration) 17->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 05:00:53 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hsfoy5vmd5wap4zsyp42qdcmhsj4l6ajwwg75wfl3nvgitqtyv6a._file
Verdict:
malicious
Similar samples:
458b2b25b7fd1a4d57cb66bd85635ee078b9b69789b769886a5bca433491bd87
SystemBC
4b25ea36c2b25f78c82b2752760b9b667678d3ce95dc292929b570b50e8bcc57
SystemBC
835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9
SystemBC
a9a3e6176cc8b8638f2bdadebeea743e50b758468c019530bb4d72cd70a66009
SystemBC
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc persistence trojan
Link:
https://tria.ge/reports/230619-lvg2eaec3z/
Behaviour
Adds Run key to start application
SystemBC
Malware Config
C2 Extraction:
admex1955x.xyz:4044
servx2785x.xyz:4044
Unpacked files
SH256 hash:
257e0d0d85f2b715f6f50d34ed6c063112476fa8ad78952c53a31d87244ee85e
MD5 hash:
9da31991a12a1150d10e1d6934ff9732
SHA1 hash:
8c0f5ee774da1de2cbdb13b31645f4d1589819cd
Link:
https://www.unpac.me/results/69061752-aecd-4299-a4d5-ad0faa878d7f/
SH256 hash:
fe559d3af49d020feb835657e621e647cb6ed7e8dd639046651ac3a027f20dc5
MD5 hash:
360ba14104ab2ac20301d8214c691ab8
SHA1 hash:
1e1325309dca8ace6f71d44253ff1756526fe5fb
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/69061752-aecd-4299-a4d5-ad0faa878d7f/
Parent samples :
89e5681774347bfa7e087385062bbd741446308c239beff8f1e2ad1613372aea
835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c
SH256 hash:
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c
MD5 hash:
e28bb0c12be9480d98e49fce8cced7b6
SHA1 hash:
e7f2fb2ebdcd1f416422ecfc9a2e3bdf4dc2e845
Link:
https://www.unpac.me/results/69061752-aecd-4299-a4d5-ad0faa878d7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2666139/
Cape
Cape
https://www.capesandbox.com/analysis/400363/

Comments


Avatar
zbet commented on 2023-06-19 09:50:47 UTC

url : hxxp://admlogs25.xyz/s777mx.exe