MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328
SHA3-384 hash: e7e4b47bdbc6d44f6d3bea4cb7143533b7d1ead510d5dc7bc90bf253253e4ac575c2cb1620ec3a591262522e8b9d5b67
SHA1 hash: ecfa050c622f9a8937c241f4612b18e71a10b37f
MD5 hash: 00e2db89532040c67ffd107ce99200ff
humanhash: west-violet-august-orange
File name:file
Download: download sample
Signature SystemBC
Create hunting rule
File size:269'824 bytes
First seen:2023-06-05 20:47:22 UTC
Last seen:2023-06-08 20:31:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a52b903201b2b26f84fa5c505e01f1fe (1 x ArkeiStealer, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep 3072:BgU/XdoE8Rk3EXyEx6lnortV5sEqirdUkx+uzyHvP0AwpRPfMvgpm9jDQi9j0dUR:WUVogdlqP5SLyyEVRPfMJQiUA
Threatray 204 similar samples on MalwareBazaar
TLSH T11E445C0372E07C60E6264B328E2ED6F8761EFD518F5577EB2655AE2F09B01A1C332706
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 2598a4a4a684d800 (1 x SystemBC)
Reporter andretavare5
Tags:exe SystemBC


Avatar
andretavare5
Sample downloaded from https://vk.com/doc228185173_661078716?hash=fR8Y3dwUvZDkMvUDX8clcbkCTeX7IdXIYDHsC1ChpuT&dl=sBFzxs5zR66u9Rl5S7Tq6iZXaBlBpREXnkTKkFBy4iw&api=1&no_preview=1#insteu

Intelligence

File Origin
# of uploads :
3
# of downloads :
325
Origin country :
US US
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-05 20:48:34 UTC
Tags:
systembc trojan
Link:
https://app.any.run/tasks/f0c873f5-50bd-4c27-8409-88fe23dfe275

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/395908/
Detection(s):
Win.Trojan.Zusy-10003640-0
Create hunting rule

Win.Dropper.Tofsee-10003650-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Searching for synchronization primitives
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/89501/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coroxy greyware packed
Link:
https://www.filescan.io/uploads/647e4a027cbe61e35d88665b/reports/439ab9ee-c484-47c4-90e5-69e10ac20c8d/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d02e6d88-56d8-4525-a3e8-e4ccfbfeb2f8
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1249134
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882154 Sample: file.exe Startdate: 05/06/2023 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 5 other signatures 2->51 8 ucsxxb.exe 61 2->8         started        11 file.exe 1 2->11         started        13 file.exe 2 2->13         started        17 GoogleUpdateBroker.exe 2->17         started        process3 dnsIp4 55 Antivirus detection for dropped file 8->55 57 Multi AV Scanner detection for dropped file 8->57 59 Detected unpacking (changes PE section rights) 8->59 19 notepad.exe 8->19         started        61 Detected unpacking (overwrites its own PE header) 11->61 63 Found evasive API chain (may stop execution after checking mutex) 11->63 65 Tries to detect virtualization through RDTSC time measurements 11->65 43 104.140.245.39, 49693, 80 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 13->43 31 C:\Users\user\AppData\Local\Temp\ucsxxb.exe, PE32 13->31 dropped file5 signatures6 process7 file8 29 tmpBBEF.tmp (copy), PE32 19->29 dropped 53 Hides threads from debuggers 19->53 23 chrome.exe 3 19->23         started        signatures9 process10 dnsIp11 33 192.168.2.1 unknown unknown 23->33 35 239.255.255.250 unknown Reserved 23->35 26 chrome.exe 23->26         started        process12 dnsIp13 37 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 26->37 39 www.google.com 142.250.203.100, 443, 49698, 49699 GOOGLEUS United States 26->39 41 3 other IPs or domains 26->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 15:16:52 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqdhceit34xdfot2jugkhpx4r4sxezdnnneojfh5ijrt73la4mua._file
Verdict:
malicious
Similar samples:
330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52
SystemBC
4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763
SystemBC
8817f064ee6e9e39d30482db0289a1e270ccd8ee0b72ea7283da1d9ae565546b
SystemBC
8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2
SystemBC
d94e02cfb25da71355a6d85538a24374c050962c4e027eaae2e230fe52514e2a
SystemBC
e2cc138b0051fc6d2dce76941e2190d964c51754dac13705f63dad2941ccbba7
SystemBC
+ 194 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/230605-zleftabd2z/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Unexpected DNS network traffic destination
SystemBC
Malware Config
C2 Extraction:
23.95.44.228:53
Unpacked files
SH256 hash:
6559704c3fb4104df6dbc4a32fcebc39865aa40810b34737a3a47b8f7efad361
MD5 hash:
cc3108aca953e51db8e0eed257ed5be5
SHA1 hash:
e951d86a6aec0071533ab1a2264203c8bebbe6c1
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/34172dff-d623-42e0-b53b-d42f06e1f1d9/
SH256 hash:
4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328
MD5 hash:
00e2db89532040c67ffd107ce99200ff
SHA1 hash:
ecfa050c622f9a8937c241f4612b18e71a10b37f
Link:
https://www.unpac.me/results/34172dff-d623-42e0-b53b-d42f06e1f1d9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/4406711113df2e32ba7a4d0ca3befc8f2572646d6b48e494fd42633fed60e328

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/395908/

Comments