MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466
SHA3-384 hash: ebdec118598b0a245dd3b5bd35bee09303200363ce0bdd417ba99eef9b2c506d4f75666954ab49a0d2b734031b2d50eb
SHA1 hash: ec964c63f84e019da9f3e93dd299a69e89fbcfb5
MD5 hash: 25a370c5900d725fbc40518c41723a31
humanhash: cola-thirteen-cardinal-sink
File name:ss.dll
Download: download sample
Signature SystemBC
Create hunting rule
File size:13'824 bytes
First seen:2022-04-25 19:50:54 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 15d0b563bda8248b1bc2c80e6e502bc6 (4 x SystemBC)
ssdeep 192:UHlyEnTXZ1eMLfEYzHfdgyVQ0PQ+t4XbLVOOG9bBytrP0:sl/TXZ0MQYzHfdgyy0/8bUOG9b8P
Threatray 156 similar samples on MalwareBazaar
TLSH T16D52F797657084B2C21242703E6F2322847D65B552399015EFE00F5C7F3EB979B22F53
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter StefC1993
Tags:backdoor dll Hive Ransomware SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
757
Origin country :
n/a
Vendor Threat Intelligence
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/266551/
Detection(s):
SecuriteInfo.com.Variant.Graftor.636737.12897.6961.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending a custom TCP request
Creating a file in the system32 directory
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware shell32.dll systembc
Link:
https://www.filescan.io/uploads/6266fbb42f162d9fdf6796cc/reports/370b5ae6-eb1d-4832-b1ac-7b2affcb3b7c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc3ad519-2762-4c8d-b39d-5529d64a18f3
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/982731
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Emotet RunDLL32 Process Creation
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 615218 Sample: ss.dll Startdate: 25/04/2022 Architecture: WINDOWS Score: 100 23 Sigma detected: Emotet RunDLL32 Process Creation 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 6 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 19 93.115.25.139, 443, 49737, 49745 CHERRYSERVERS1-ASLT Lithuania 12->19 21 127.0.0.1 unknown unknown 12->21 17 rundll32.exe 15->17         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-04-25 10:54:20 UTC
File Type:
PE (Dll)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=itjxb6kctb6zckfucjbv3pcquiswnsh5z2az3bcwrrgbmbwd4rta._file
Verdict:
malicious
Similar samples:
118a7af7d60eaec0d2a880691bcfb39839c181447c9e669e4d093d59e936d7bd
SystemBC
4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5
SystemBC
683e6f42222caf44fdc3917be95d55a3f2213c5e3f966e33996ecd1f0743197f
SystemBC
6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
SystemBC
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
SystemBC
efdc1489d1024ba19acaa9a86fb0750446896947a563e6d89739254d8250a932
SystemBC
f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb
SystemBC
+ 146 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc
Link:
https://tria.ge/reports/220425-yks25shdgn/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
C2 Extraction:
93.115.25.139:443
127.0.0.1:443
Unpacked files
SH256 hash:
44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466
MD5 hash:
25a370c5900d725fbc40518c41723a31
SHA1 hash:
ec964c63f84e019da9f3e93dd299a69e89fbcfb5
Link:
https://www.unpac.me/results/69a20bf4-8248-42c3-ace6-744c21ca5cd6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/44d370f942987d9128b412435dbc50a22566c8fdce819d84568c4c1606c3e466

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:pdb2
Create hunting rule
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/17da9fb0-b59d-4e98-9c83-ce58f15486f0/
Cape
Cape
https://www.capesandbox.com/analysis/266551/

Comments