MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
SHA3-384 hash: ff2048048b111a89bb6dfdce1cea7f8b0fb2d4311f1b500ac6b5c575205eaaafdf012bc790110186ce1d5d2279e05bc7
SHA1 hash: 17ce33e58167a089b7e4e6c49a362a23364d30de
MD5 hash: 36b9570a14ac21869cad456713714940
humanhash: table-beer-kitten-colorado
File name:36b9570a14ac21869cad456713714940
Download: download sample
Signature SystemBC
Create hunting rule
File size:147'456 bytes
First seen:2021-06-24 01:42:17 UTC
Last seen:2021-06-24 03:19:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:xZclJef2EcBMESpQxLoAtRiIAIF8UWHN1AfunMJr:/2WkLziu8Udfuu
Threatray 376 similar samples on MalwareBazaar
TLSH 1DE31E5A20A17059D6934A741E42E9343B14EF385981D109E4F28D2FFF8ABFB78DC8D9
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36b9570a14ac21869cad456713714940
Verdict:
Malicious activity
Analysis date:
2021-06-24 01:43:16 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/e523cecd-26e4-4683-a53a-6c93f89d5ed4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.63384.31124.7249.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ba84415-dcb9-4ce1-b8a6-aaa69a23dde9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807052
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Creates an autostart registry key pointing to binary in C:\Windows
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439462 Sample: 1LkneOZhVf Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for domain / URL 2->90 92 Antivirus detection for URL or domain 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 4 other signatures 2->96 9 1LkneOZhVf.exe 21 33 2->9         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 dnsIp4 86 apdocroto.gq 104.21.14.60, 49737, 80 CLOUDFLARENETUS United States 9->86 74 C:\Users\user\AppData\...\rfu4zwti.newcfg, UTF-8 9->74 dropped 76 C:\Users\user\AppData\...\qyvrfehm.newcfg, UTF-8 9->76 dropped 78 C:\Users\user\AppData\...\ocrceiny.newcfg, UTF-8 9->78 dropped 80 10 other files (9 malicious) 9->80 dropped 118 Adds a directory exclusion to Windows Defender 9->118 120 Hides threads from debuggers 9->120 122 Injects a PE file into a foreign processes 9->122 18 1LkneOZhVf.exe 6 9->18         started        23 WerFault.exe 9->23         started        25 AdvancedRun.exe 1 9->25         started        31 2 other processes 9->31 27 rundll32.exe 14->27         started        29 rundll32.exe 16->29         started        file5 signatures6 process7 dnsIp8 82 epicgames-nitro.store 199.188.201.33, 443, 49767 NAMECHEAP-NETUS United States 18->82 68 C:\Users\user\AppData\Roaming\client.exe, PE32 18->68 dropped 70 C:\Windows\System32\drivers\etc\hosts, ASCII 18->70 dropped 72 C:\Users\user\AppData\...\1LkneOZhVf.exe.log, ASCII 18->72 dropped 106 Protects its processes via BreakOnTermination flag 18->106 108 Tries to harvest and steal browser information (history, passwords, etc) 18->108 110 Modifies the hosts file 18->110 112 Adds a directory exclusion to Windows Defender 18->112 33 client.exe 18->33         started        37 powershell.exe 5 18->37         started        39 powershell.exe 18->39         started        41 powershell.exe 18->41         started        114 Tries to evade analysis by execution special instruction which cause usermode exception 23->114 43 AdvancedRun.exe 25->43         started        84 65.21.93.53, 4173, 49770, 49773 CP-ASDE United States 27->84 116 System process connects to network (likely due to code injection or exploit) 27->116 46 conhost.exe 31->46         started        48 conhost.exe 31->48         started        50 timeout.exe 1 31->50         started        file9 signatures10 process11 dnsIp12 66 C:\Users\user\AppData\Roaming\valid.sa, PE32 33->66 dropped 98 Multi AV Scanner detection for dropped file 33->98 100 Detected unpacking (changes PE section rights) 33->100 102 Detected unpacking (overwrites its own PE header) 33->102 104 2 other signatures 33->104 52 rundll32.exe 33->52         started        54 cmd.exe 33->54         started        56 conhost.exe 37->56         started        58 conhost.exe 39->58         started        60 conhost.exe 41->60         started        88 192.168.2.1 unknown unknown 43->88 file13 signatures14 process15 process16 62 WerFault.exe 52->62         started        64 conhost.exe 54->64         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2021-06-21 00:38:48 UTC
AV detection:
26 of 46 (56.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
003bd2ca89efc808a6f5e607f1d19c2d5ca1d629dfef3f324a9fbea0ce933fd7
SystemBC
1b9311365ac0c371e7e3656d8d9074a654bfff4677e074f754e5053bca200298
SystemBC
a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de
SystemBC
a601e754a8af2b3a971c1d124ac92a20631e3d393fba18e66751b5d0bff2b100
SystemBC
c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499
SystemBC
d28966990ec27ae9250c919dd814cd1862e9e0e6b6f31a5418ab58de8ebe446a
SystemBC
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
SystemBC
ee60159a403a0f52899c4b736d4a81cf8a73412e1deb6ffbe06be9e1ca221b82
SystemBC
efdc1489d1024ba19acaa9a86fb0750446896947a563e6d89739254d8250a932
SystemBC
f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd
SystemBC
+ 366 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/210624-ebxa3dkb7n/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
SystemBC
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
65.21.93.53:4173
95.216.118.223:4173
Unpacked files
SH256 hash:
6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
MD5 hash:
36b9570a14ac21869cad456713714940
SHA1 hash:
17ce33e58167a089b7e4e6c49a362a23364d30de
Link:
https://www.unpac.me/results/69aeb3c2-1f3e-45be-9ec4-637e5222780b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393229/

Comments