MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470
SHA3-384 hash: 47367493d8de6eb510a972f1a22c6c519edb0bcadd6b169acf2e5932393e8975d88c18666dc0617dd850959005c8b3da
SHA1 hash: d6146b6fdf516223735e4e881fa797432dff3923
MD5 hash: 686b40dcb167653cb7a8463928c26af1
humanhash: kitten-fanta-cup-fillet
File name:686b40dcb167653cb7a8463928c26af1.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:9'923'049 bytes
First seen:2022-03-09 20:21:27 UTC
Last seen:2022-03-16 23:42:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:/ylL6Qqq9pc9HG8e+AaO+aIfrFKLZB1ZkezGMr4Del7:/yMQ7Tc9m6FauFKLNZkezGMCeZ
Threatray 131 similar samples on MalwareBazaar
TLSH T134A6233BB368713EC4AB4B3249B39250A87B7765A41B8C1E47F4090DCF6A5711F3BA16
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe SystemBC


Avatar
abuse_ch
SystemBC C2:
5.101.78.2:4127

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
5.101.78.2:4127 https://threatfox.abuse.ch/ioc/393334/

Intelligence

File Origin
# of uploads :
3
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248880/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Sending a custom TCP request
Creating a file in the Windows subdirectories
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8807/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe overlay packed packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62290c730cd58dbd92711a2c/reports/21642145-0ea8-45b4-bd17-fe06983b8793/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8723fbb9-24fc-4254-a757-a2fda2e2836f
Result
Threat name:
Babadeda SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953673
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Yara detected Babadeda
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 586154 Sample: NBoJCkvcb1.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 4 other signatures 2->55 10 NBoJCkvcb1.exe 2 2->10         started        14 PDapp.exe 1 2->14         started        process3 dnsIp4 45 C:\Users\user\AppData\...45BoJCkvcb1.tmp, PE32 10->45 dropped 59 Obfuscated command line found 10->59 17 NBoJCkvcb1.tmp 3 13 10->17         started        47 5.101.78.2, 4127, 49784 ITGRADRU Russian Federation 14->47 file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 17->33 dropped 20 NBoJCkvcb1.exe 2 17->20         started        process9 file10 35 C:\Users\user\AppData\...35BoJCkvcb1.tmp, PE32 20->35 dropped 57 Obfuscated command line found 20->57 24 NBoJCkvcb1.tmp 5 145 20->24         started        signatures11 process12 file13 37 C:\Users\user\AppData\...\is-DAP18.tmp, PE32 24->37 dropped 39 C:\Users\user\AppData\...\PDapp.exe (copy), PE32 24->39 dropped 41 C:\Users\user\AppData\...\is-3R6BV.tmp, PNG 24->41 dropped 43 175 other files (none is malicious) 24->43 dropped 27 tracegen.exe 1 24->27         started        29 PDapp.exe 3 24->29         started        process14 process15 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-02-23 15:39:35 UTC
File Type:
PE (Exe)
Extracted files:
202
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lfpbkrofhut7weyv44fsihtg6rfsrje34wnhc7fesnwrm7qscrya._file
Verdict:
malicious
Similar samples:
0713ce27fefb110cda3075fae74229170582c19758c2ecb7f85e0c0b8c694e0c
SystemBC
384292cad1c05552ccbd691de48865ce75375f7e601db66b3f5cad0f8f294d6c
SystemBC
4630b0be7226c9003d34717f7eb092eb51242bd9723d118b4b106c9727503a7b
SystemBC
663d4270b4fefb6cf4c941532b4aaa3957f43874a6ad73e9b87ccdeedaddb634
SystemBC
a25e52970d49547477a201d8a9bbf16246404c5f9b8c348db2f59d7b1b48818f
SystemBC
be2a74bc76e5429010ce7741e58aecc253a33e1dbd713d8b6f02a20545469502
SystemBC
c4ca06766b0b2f5a7aeb24aa39d3b3695bcbe94b96a506dd9950e795064d875c
SystemBC
ec5e384e2dc1a77a23eaf3130d6fe73abf081fa7433e0d67295926943813a2c9
SystemBC
+ 121 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:babadeda family:systembc crypter loader trojan
Link:
https://tria.ge/reports/220309-y5klhaeedn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Babadeda
Babadeda Crypter
SystemBC
Malware Config
C2 Extraction:
5.101.78.2:4127
192.53.123.202:4127
Unpacked files
SH256 hash:
45c2992c8e55d07db92b92099abeed89610266b688937f250e81e33eb375f20b
MD5 hash:
f53b49cc87be57677efcb5126c777a83
SHA1 hash:
c2b9d293fd139ea9e06804ce46ad88b675ce75ce
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
69d2e938368d9dc2fe5ae956d49ed1005dc4bb18b878cf2e55a0931c7a5eb003
MD5 hash:
681f67c011ee0ac7fd112ed351fc07db
SHA1 hash:
cc02d9564dc3e29faf3e4945567d2ce6612d1f8c
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
5cd647093cc0baf6b7e7c83345b47a792dde239dbf22e49bb0f698632012dcd1
MD5 hash:
4b996ba26e472871971400e4d1b8be8e
SHA1 hash:
f90c91143e3888d6d9ac54cb3d96993c47d8ddbb
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
0d0a3787aafbdad5cb5940d7e854f0d0bc83bcddd8bf87bc572a17f2e7cd880c
MD5 hash:
46d295dbd139dc26c4021c6efe87bd7f
SHA1 hash:
cbf362ae0407f6a0893751dac0715573343e4b1f
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
4eb274265e43b262611f106094ae835f16145e10ccc7c915346b1f2ba0d229f5
MD5 hash:
1f04991fb98ecadd4658ef3d1fa931d4
SHA1 hash:
f4313dca63b4c93ff52f326d040bf286e2710440
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
cb8e56dbe282b8e3eda1a7cb8716eb8d827e134563bfe7da1c0351fbc423aeb5
MD5 hash:
ca0e208be8c18f899a80f1fc92942106
SHA1 hash:
f340fa4bac14bc30fb692802268a87aa81161566
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
a3433f1b2bb1f220869a2b1abf17f43ad201c11848da494ae9f8e0accde670d8
MD5 hash:
0ba88f266dd494ce77efadf1d00cc44a
SHA1 hash:
e9f1f3cd6d955db9c5d267824cb9c5346abc72c4
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
adf05609813521acb027c0444ccf455b3ddd39c19ffa264ca95f964a57080277
MD5 hash:
8e0574358838ebd39d358666e140abb6
SHA1 hash:
dc256852b65a714b0ef8f1e7e45840c3d1b79322
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
ab6abeff632c98853d60031650f034202b3dab8596ac03a73c2f18cf89e3ef7a
MD5 hash:
564507362388cbcad8ecd93480092c6b
SHA1 hash:
cb3e18b237b1004271814ff5f88774a09b78e39e
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
66d421734e51cc49c2aeaab5fc66b5079f3e9b2d0bcf004c120788048afef8d9
MD5 hash:
38c41418d1c80554d18e5f39512243cc
SHA1 hash:
af78e646511116071c43530e96939782baaec6b2
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
c5cbad36039922204c2a02ed019dfbfbc46423652b750de91877ac0115cda800
MD5 hash:
15aaec380f841ab35e233ac8a5cd7790
SHA1 hash:
ace9d8902b24c625a5c8ffa8df3dd00fa7b3d53a
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
763470442c5f4a63a81fbd0d2f5a6732db5f4ece659c32cd4ef2da0d56dabe57
MD5 hash:
d186bf0aab4479c24c4801d6c2e17a72
SHA1 hash:
a6c35bd2b31367d468296e3fc8dc88e54ccec3b2
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
2024c30e0a75ad13e46830859e59da4b112354be0e0cd25a233407c0415fb364
MD5 hash:
bcf68690976328d3c32f3c13a02cabb4
SHA1 hash:
907bf9e2eaa9692bf233819a62c73e2874fd0c7a
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
db3e94686075678bd38c19c24a392435e194f80e7b81370ee249df879ebe9d26
MD5 hash:
49b2665c4c8853569b431becfa801fd6
SHA1 hash:
82b638aa2a497b29b2dcbe1445b41c29b4955d23
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
592d720792b3cef878f9d35f1ca31e3170a53c1f5f68427b44becb280c75d588
MD5 hash:
ee13d8add99511827470cceb955d7b58
SHA1 hash:
65d2c4466dc60ea414ceb23f6806ae98fcf330ae
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
425a5c0f66e736af7faba0c9ca35f3204e4664408a685115dca1992de35873f5
MD5 hash:
52a3ca7ab838938827934364e237473e
SHA1 hash:
61dd2fea4e13dd8fa652a96927f656b733850ad3
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
a3e1614fa2604a1bcb4d077eb2376f3c9e97380710312d1ea9a2470de346bf55
MD5 hash:
1b02c4e46b98f6638987d50bdbb52bd1
SHA1 hash:
5acd9b0e4247d3ddc5f033261a168f9b5ab07f2e
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
e6e58dff65979b01328bece3089ede89e0215b79b5d0d6ee31f25384a9bdf3f3
MD5 hash:
d32a0eb85cd3c6b3e9ee9493f8383f28
SHA1 hash:
5a6fed6c193f86b5db23eef787a919c5580e08d0
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
c89aedf041d3823c9a4cea3e2c39fb10cd31a264b65034123cfaf16c1928587b
MD5 hash:
9d24b91cdcbf819337c99711249d9141
SHA1 hash:
58b033859f89aa55bf4a13be7470c77dafd8205d
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
d5cd86ef0b4f628234883fc5aeda906944ff4800385657488f4d7d8594f18814
MD5 hash:
29f26b059ec86141ef7ffaa4c6918bed
SHA1 hash:
5456c20103711e1324c64ddef914ba82799bbc2d
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
e33f5ca2a0cbef3b522262b38674d8f3a74b76c794f0b790bc4bcdf4e1388d79
MD5 hash:
28dc01a92fb7691e9ac702827f717b58
SHA1 hash:
53bd7c49527f66c87af0d02e4d4677adad5a1249
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
150522964fa797a478c9b99635324085c14757aeb58323e59410da3cc6168928
MD5 hash:
55b6ab595005c88b1f982639b691ad40
SHA1 hash:
4b4a069fd317f4de752c24839017ef9a31cae600
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
f7758d3628fd12f8f7bbe72b6254645ba0b597ad734756ac68330d6ac5602f49
MD5 hash:
198d6f8668c1a59de6eb2289133e28cb
SHA1 hash:
48abbfca18742c7ab79b2229e02a7418cd550a38
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
985f21786bd4cab29aa6b1a0a985926685c976f6c3052f768d8bf64caf3abf38
MD5 hash:
5dcb9a26d4ca35b47501a24e662a4f58
SHA1 hash:
1bb36f5e48368279495c17f989150144c3489a8d
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
664011ced77b6fefbe07d9086f0c29dc78fdd7c1df803de11f796b7a8f2f7acc
MD5 hash:
af50293d97876704817edc722235398f
SHA1 hash:
00906f470ecbb151a2e872d4dfb89f6ffb09b58a
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
6a3dbf31fa4a3257411d4ca9647eae0d2f5915245494d22254d6090d35557570
MD5 hash:
f42136d1afdb755e54f628a8fb56fce9
SHA1 hash:
89e375b6148ba420fdb282f70a3cf8f166eeea70
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
SH256 hash:
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470
MD5 hash:
686b40dcb167653cb7a8463928c26af1
SHA1 hash:
d6146b6fdf516223735e4e881fa797432dff3923
Link:
https://www.unpac.me/results/2ac0cd6c-0c75-4057-b7d3-6bf252282022/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2073360/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2086545/
Cape
Cape
https://www.capesandbox.com/analysis/248880/

Comments