MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 14

Intelligence 14 IOCs YARA 17 File information Comments

SHA256 hash:	5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a
SHA3-384 hash:	0a306ae2f6db30225e00c6db7ca607674a31fe393c012e883a192eced25185bbfbf114b65e86fd501d07273e94550676
SHA1 hash:	0154b6d842f48eb715e11856d3c7f5e92dba9384
MD5 hash:	96a3ea4bc09bba5437ef00c758924cae
humanhash:	red-timing-nebraska-october
File name:	96A3EA4BC09BBA5437EF00C758924CAE.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	469'064 bytes
First seen:	2023-12-09 17:45:20 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	6144:tk5byxHPnZaCHWWjjnnhUNeX0BmHbHTLNMT9wRUMXFLpmEJyMQxVGGGGGGGGHGG3:5xvnZaCHW+nhUNQSwbHFMx0UQtx2b
Threatray	1'061 similar samples on MalwareBazaar
TLSH	T14AA4AF17BB57C6A1CA461B37C5EB57001770E9A2B5B3D70F388A2AE729037B6DD80187
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter	abuse_ch
Tags:	exe SystemBC

abuse_ch

SystemBC C2:
5.161.74.235:4001

Intelligence

File Origin

# of uploads :

# of downloads :

322

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/464032/

Detection(s):

Win.Trojan.EmbeddedDotNetBinary-9940868-0

Win.Trojan.EmbeddedReversedDLL-9940922-0

Win.Trojan.Generic-10014419-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a file

Unauthorized injection to a recently created process

Restart of the analyzed sample

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay packed stealer

Link:

https://www.filescan.io/uploads/6574a7db3f60a810348d524b/reports/6f4a6852-e01a-45c7-a1e3-56f66ec4f9b8/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

CinaRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27111eee-7fc5-434e-977d-b03ef7675651

Result

Threat name:

PureLog Stealer, SystemBC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1356967

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Yara detected PureLog Stealer

Yara detected SystemBC

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a/

Threat name:

Win32.Trojan.AveMariaRAT

Status:

Malicious

First seen:

2023-12-07 09:03:32 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l7yzacnw6kmvflz23ht634rdo6v33sshnon3srprwoyfpsfyjy5a._file

Verdict:

malicious

SystemBC

5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

SystemBC

66f34a1f996f03fa16851cd050547e352a49dfa96950579b1f69cb32a39485df

SystemBC

759b94a671a1e57260b57ec15d92fbe87dbb705a92c485b39fb9f4a11c1b1d91

SystemBC

f33f7b39549696d664e95036d69d5e63f825eccfcf483ec984991aba24fca303

SystemBC

+ 1'051 additional samples on MalwareBazaar

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc persistence trojan

Link:

https://tria.ge/reports/231209-wb98ysbce7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

SystemBC

Malware Config

C2 Extraction:

wprogs.top:4001
leadsoftware.top:4001

Unpacked files

SH256 hash:

f2fb4371a22562fd33b50f8edad14be18a6848a32e258679aa118379fd159a37

MD5 hash:

8326f02373b95387353cbc92cadd05b3

SHA1 hash:

d7c30ef87def6ebc62c4b4a3126292a67a1a0190

Link:

https://www.unpac.me/results/417cd84c-2515-4446-9be0-ae7b4e5d027c/

SH256 hash:

fc1fdd094f96087625622976ba516b628621d4dfadf2fc84014165348d7b391b

MD5 hash:

7e00a3312af9dcea8ac93442010f699b

SHA1 hash:

a487c72dd49ed5a699e9b75ea04d6091a5476c66

Detections:

INDICATOR_EXE_Packed_SmartAssembly

Link:

https://www.unpac.me/results/417cd84c-2515-4446-9be0-ae7b4e5d027c/

SH256 hash:

29be43cd6270b87ae0ad22b5b37bc0b382d9aba573c730241514db9f593d17f0

MD5 hash:

9d05640c57b6fdb839acffbfb60950ea

SHA1 hash:

74993d4761f86922587e640dbe26b83f91357ae7

Link:

https://www.unpac.me/results/417cd84c-2515-4446-9be0-ae7b4e5d027c/

SH256 hash:

598aa2b9e4ae69a59235a2e0972a578de51f31ef42ea80a0878e281c67a1dda5

MD5 hash:

8c84399345fa878f1725c3bf9ba1ba71

SHA1 hash:

39a2ed21a4bae5bad0f9585ff730aaf619d6145f

Link:

https://www.unpac.me/results/417cd84c-2515-4446-9be0-ae7b4e5d027c/

SH256 hash:

5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

MD5 hash:

96a3ea4bc09bba5437ef00c758924cae

SHA1 hash:

0154b6d842f48eb715e11856d3c7f5e92dba9384

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/417cd84c-2515-4446-9be0-ae7b4e5d027c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	EXT_MAL_SystemBC_Mar22_1 Create hunting rule
Author:	Thomas Barabosch, Deutsche Telekom Security
Description:	Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:	https://twitter.com/Cryptolaemus1/status/1502069552246575105

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Start2_net_bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	Start2_overlap_bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	Start2__bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	SUSP_Reverse_DOS_header Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects an reversed DOS header

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	win_systembc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/464032/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample