MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SHA3-384 hash: 1c0833ff92264775864d6dc224e971a69488ad621a719c27da0210e01252e4b8d30dd775f30df0329b13eb4dbe3a5966
SHA1 hash: 1aff17b87ff213c1a8f4c8cfe48782e636b6fb32
MD5 hash: 509b68725e595b30fb2f38c8ea2cf9c4
humanhash: mexico-potato-cat-bluebird
File name:config.cpl
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'709'568 bytes
First seen:2023-11-20 13:01:26 UTC
Last seen:2024-03-06 13:33:20 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ada2db691d15e230c727b763fa43aa8a (1 x SystemBC)
ssdeep 24576:ejhyCJxQWOSUua9BgsID7yByhWjqcRE4ff6ySznNvWGYbjWfExlpaheDtg3UUag7:GfzUua9h9ERznNeXHWfExzmPLnvh6
Threatray 9 similar samples on MalwareBazaar
TLSH T1CF850203EF1B9EE9E53B9A7E8FA625468B4B36715709B2A728744107F4714008FF3729
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter JAMESWT_WT
Tags:agenziaentrate cpl dll pedll SystemBC

Intelligence

File Origin
# of uploads :
5
# of downloads :
339
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459307/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Gathering data
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6bd2d38-b17a-4044-aa76-1599333d50e7
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1345150
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1345150 Sample: config.cpl.dll Startdate: 20/11/2023 Architecture: WINDOWS Score: 88 31 Snort IDS alert for network traffic 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 3 other signatures 2->37 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 9 other processes 7->17 dnsIp5 39 System process connects to network (likely due to code injection or exploit) 9->39 29 62.173.140.37, 4001, 49729, 49730 SPACENET-ASInternetServiceProviderRU Russian Federation 12->29 19 rundll32.exe 15->19         started        21 WerFault.exe 22 16 17->21         started        23 WerFault.exe 16 17->23         started        25 WerFault.exe 16 17->25         started        27 3 other processes 17->27 signatures6 process7
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2023-11-20 12:56:41 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
20 of 23 (86.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jwxdxbhowxrwyfcpt6ws6kyg3huchaonu2y7aqydhtzwitztsvma._file
Verdict:
malicious
Similar samples:
2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SystemBC
4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SystemBC
68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c
SystemBC
f0073027076729ce94bd028e8f50f5ccb1f0184c91680e572580db0110c87a82
SystemBC
f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad
SystemBC
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/231120-p9r2psga43/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
SystemBC
Malware Config
C2 Extraction:
62.173.140.37:4001
Unpacked files
SH256 hash:
d328c26f079fa5a0613b197ebad5858799d42ab6e4396fc6feec30c12f7f98fe
MD5 hash:
3c26bb81464d1a2571e238a3988ca6d6
SHA1 hash:
51a84c18c028be064a3a0dfcf9919a91c624ffc8
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g0
Create hunting rule
EXT_MAL_SystemBC_Mar22_1
Create hunting rule
win_systembc_20220311
Create hunting rule
Link:
https://www.unpac.me/results/0844d1cf-3dcf-48dc-aa5e-7dc5eabef203/
SH256 hash:
4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
MD5 hash:
509b68725e595b30fb2f38c8ea2cf9c4
SHA1 hash:
1aff17b87ff213c1a8f4c8cfe48782e636b6fb32
Link:
https://www.unpac.me/results/0844d1cf-3dcf-48dc-aa5e-7dc5eabef203/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/459307/

Comments