MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42922679f1b1e35f810a82fe3c9554adc522e25a6b8458942c556a7f52983b07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 9

Intelligence 9 IOCs YARA 12 File information Comments

SHA256 hash:	42922679f1b1e35f810a82fe3c9554adc522e25a6b8458942c556a7f52983b07
SHA3-384 hash:	a352a682e03641bad7dfa5a7835836e9a53ac9c93cf946a3b23e8ef7987529649ab6c593b9f9a8423a14ddcae808bec1
SHA1 hash:	baf15cdb5b7b6f345934ee79b72fd253e479c732
MD5 hash:	17f161fa336f084079dd715cf02cfcc0
humanhash:	kitten-oregon-london-nevada
File name:	17f161fa336f084079dd715cf02cfcc0.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	304'640 bytes
First seen:	2022-07-16 08:49:09 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:0W+ZX/idRaeNQynzigbEQhLT0evOfu76:ucR3nzigboeWf
Threatray	2'079 similar samples on MalwareBazaar
TLSH	T19354CF5F6A0C4444DE8C07F2D6B2839C7B546B68F5B7834714B61AE8880BBCF3D569E8
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	d292b0b2da36bcbe (11 x AsyncRAT, 7 x Metasploit, 6 x CoinMiner)
Reporter	abuse_ch
Tags:	exe SystemBC

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/291164/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Creating a file in the %AppData% subdirectories

Creating a file

DNS request

Sending a custom TCP request

Forced shutdown of a system process

Enabling autorun

Unauthorized injection to a system process

Gathering data

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8454ab5c-4347-4ec9-8921-6fb6d12f5b15

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1033520

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Creates an undocumented autostart registry key

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42922679f1b1e35f810a82fe3c9554adc522e25a6b8458942c556a7f52983b07/

Threat name:

Win32.Trojan.RealProtect

Status:

Malicious

First seen:

2022-07-15 20:47:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 39 (69.23%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ikjcm6prwhrv7aikql7dzfkuvxcsfys2nocfrfbmkvvh6uuyhmdq._file

Verdict:

malicious

SystemBC

44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466

SystemBC

9c069b3043b757ab5e67889b9f2820758ddb92823bf91678182d6386a16fd5ea

SystemBC

af6b1e2eb748f48a5e7b6a68301b0616a8a4e79845e17df2c9712caec453359a

SystemBC

f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb

SystemBC

+ 2'069 additional samples on MalwareBazaar

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc persistence trojan

Link:

https://tria.ge/reports/220716-krmxtaaga3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

Modifies WinLogon for persistence

SystemBC

Malware Config

C2 Extraction:

onionnkfuzyzbu.xyz:4193
onionnkfuzyzbu2.xyz:4193

Unpacked files

SH256 hash:

6c9314e5ed0354d126239d6d40fe7d62ce55e3d4bcb6c31cec697140127df791

MD5 hash:

34dc6942b3621e631608c2e8318ce0f4

SHA1 hash:

b1ecb2ceecce5e970f8ef708c29c88badc75debe

Link:

https://www.unpac.me/results/37770f17-98b3-4a0d-bd80-36bee05209a1/

SH256 hash:

68a8e47143b0d8e1a105cf8db7ffa0cc6c67c5bb79357d70378bfb393ad70fc8

MD5 hash:

1c6cbdcb356ee612e1097bf6bad9aaa5

SHA1 hash:

53f531ad133732cfedd6a0887d970ef99bcc81ea

Link:

https://www.unpac.me/results/37770f17-98b3-4a0d-bd80-36bee05209a1/

SH256 hash:

42922679f1b1e35f810a82fe3c9554adc522e25a6b8458942c556a7f52983b07

MD5 hash:

17f161fa336f084079dd715cf02cfcc0

SHA1 hash:

baf15cdb5b7b6f345934ee79b72fd253e479c732

Link:

https://www.unpac.me/results/37770f17-98b3-4a0d-bd80-36bee05209a1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

SystemBC

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/42922679f1b1e35f810a82fe3c9554adc522e25a6b8458942c556a7f52983b07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	EXT_MAL_SystemBC_Mar22_1 Create hunting rule
Author:	Thomas Barabosch, Deutsche Telekom Security
Description:	Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:	https://twitter.com/Cryptolaemus1/status/1502069552246575105

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Start2__bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	SUSP_Reverse_DOS_header Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects an reversed DOS header

Rule name:	SystemBC_Socks Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT, Socks proxy version.

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research