MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc
SHA3-384 hash: 43d69e544e742fddb7224eec489fa568abf7e86c5112c370ba8331aaf76dd32be137c57fc7107c350232c6595ed5dc7e
SHA1 hash: 277ba6e8300707ef32804deae81bb3be5b5177d5
MD5 hash: c3dcce36c1c85ee15fb46a6b7b5a6abe
humanhash: venus-vermont-kilo-india
File name:c3dcce36c1c85ee15fb46a6b7b5a6abe.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:142'848 bytes
First seen:2020-12-24 16:39:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c80880af49f1b0ff76481600f39bc3c (2 x SystemBC)
ssdeep 3072:8MshuDzxveNuCRcoMSJ+yQ/wZcBMETle:8GINirI+FYc9xe
Threatray 667 similar samples on MalwareBazaar
TLSH 5BD37C25B7A2F036F0A3257058B9C3B19E2BBC725B7449CB235416AA1E332C15FB6753
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c3dcce36c1c85ee15fb46a6b7b5a6abe.exe
Verdict:
Malicious activity
Analysis date:
2020-12-24 16:43:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cb3e813-7f67-4999-9cd3-9eeda0404f9e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109390/
Detection(s):
Win.Dropper.Glupteba-9622151-0
Create hunting rule

Win.Dropper.Glupteba-9622152-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
8
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/569839
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Renames NTDLL to bypass HIPS
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333978 Sample: LmlSW3qU2x.exe Startdate: 24/12/2020 Architecture: WINDOWS Score: 100 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 6 other signatures 2->43 6 rmffb.exe 2->6         started        9 ngumohc.exe 2 2->9         started        13 LmlSW3qU2x.exe 4 2->13         started        15 rmffb.exe 2->15         started        process3 dnsIp4 51 Multi AV Scanner detection for dropped file 6->51 53 Machine Learning detection for dropped file 6->53 55 Contains functionality to inject code into remote processes 6->55 17 rmffb.exe 1 6->17         started        31 51.15.206.72, 49750, 49752, 49753 OnlineSASFR France 9->31 33 pzfdmserv275.xyz 78.47.43.35, 4044, 49719, 49728 HETZNER-ASDE Germany 9->33 35 9 other IPs or domains 9->35 25 C:\Windows\Temp\rmffb.exe, PE32 9->25 dropped 57 Antivirus detection for dropped file 9->57 59 Detected unpacking (changes PE section rights) 9->59 61 Detected unpacking (overwrites its own PE header) 9->61 27 C:\ProgramData\pxlm\ngumohc.exe, PE32 13->27 dropped 29 C:\...\ngumohc.exe:Zone.Identifier, ASCII 13->29 dropped 63 Tries to detect virtualization through RDTSC time measurements 13->63 65 Injects a PE file into a foreign processes 15->65 21 rmffb.exe 15->21         started        file5 signatures6 process7 file8 23 C:\Windows\Temp\D47F.tmp, PE32 17->23 dropped 45 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->45 47 Renames NTDLL to bypass HIPS 17->47 49 Checks if the current machine is a virtual machine (disk enumeration) 17->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc/
Threat name:
Win32.Trojan.Variadic
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 03:07:56 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndrgiduvidjq37jwxwjt3ahiltcipwf6sb422ecmnkcfz5qyr76a._file
Verdict:
malicious
Similar samples:
1c8ed4600279d1f7c32c1e4b16f8bcdf6f4210fdd550ba96b5a8327dde66858c
SystemBC
2000a32ad4e07b435995d624b4406ed34700f0754040a36ad3bbc8190f9c9495
SystemBC
20354da385cfab5a5c82e9b8398becf43eba43b93b48f97a64b4560a04a2012b
SystemBC
22d381feb748820ad07b312c2d6c9d82330b380fbf1676c82146f228d493d944
SystemBC
2c266a9a9c74705680c09276003465f35878052e5d0f6d9c79383a31aed6822e
SystemBC
300561b8b812887e0b6b18b460565cf888d65b01c6924bb95b5d318d9cfeb064
SystemBC
328a9feae3fd831a9ce6fcdf8fa5a637f0a5a567d6f004576b479c7e2756d1d1
SystemBC
4968c1a61bd272a3bb74e079037d7cdee1c9ce824de407ceeb384b2fb107450b
SystemBC
b6129e3a5c30c44c577a5e3f64e2cd08d5faaaa776ec1866912b90dff5aa0493
SystemBC
f7fa245bde0a4d482ee5164097fc98d55e27beced21aae0199b1b1dfb367b753
SystemBC
+ 657 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201224-fcq6yfjghx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Drops file in Windows directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc
MD5 hash:
c3dcce36c1c85ee15fb46a6b7b5a6abe
SHA1 hash:
277ba6e8300707ef32804deae81bb3be5b5177d5
Link:
https://www.unpac.me/results/4630e3c0-948e-44ee-9c48-df95402f0277/
SH256 hash:
687f7f3365327697651f3b843d2db0973886a1d1d23d1ea6fd542ed5f9050f9c
MD5 hash:
8428d75d780c86a6418c362ef49f00d8
SHA1 hash:
7ee543289f7c433fc46ba1a0f6b574c0b223241d
Detections:
win_systembc_g0
Create hunting rule
win_systembc_auto
Create hunting rule
Link:
https://www.unpac.me/results/4630e3c0-948e-44ee-9c48-df95402f0277/
Parent samples :
68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc
f0af14253369d0a612f51279338025c718f596020c3232cb62cdf91c14c40996
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/68e2640e9540d30dfd36bd933d80e85cc487d8be9079ad104c6a845cf6188ffc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/109390/

Comments