MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648
SHA3-384 hash: fe1f9535f5df32fcd5c509af2017d6b2097957a4a0b18f1f54e2309352fad78e3fb261736a3ee1d605c8088b7b9298b8
SHA1 hash: 606bbb8b0dea392f0674db1b07b4a62110ecfb8b
MD5 hash: 735b318d4a6fb60baec90df8f94116d8
humanhash: november-angel-william-california
File name:735b318d4a6fb60baec90df8f94116d8.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:254'976 bytes
First seen:2022-09-13 17:45:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd62f226cfef00bd9f488890ec076456 (1 x SystemBC)
ssdeep 6144:D0DxqvNoBzTle27SquPNxW0EvKjeNb7sGnGtaQQQGs4nzRV:4UvOBzTle27Squ3eCj0mVG9tV
TLSH T193449F20B750D035F1B712F8497A83ACB93E79B15B6495CBA2D42AEE16347E4EC3035B
TrID 40.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.0% (.SCR) Windows screen saver (13101/52/3)
13.6% (.EXE) Win64 Executable (generic) (10523/12/4)
8.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c8d8c8c8e0e4a099 (57 x Smoke Loader, 55 x Amadey, 20 x RedLineStealer)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
281
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309776/
Detection(s):
Win.Packed.Crypterx-9954995-0
Create hunting rule

Win.Packed.Bandook-9958944-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed redline smokeloader yakes
Link:
https://www.filescan.io/uploads/6320c21bca434b62337b41f9/reports/2db27f3f-9d51-42b9-9268-143113115806/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0344cd34-6588-4933-bc86-ce70fad1c7ef
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069858
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 17:10:30 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n6jg3ougv6fbmnkn5e3grriwdfz4lnrmxp4ahgl2zudi5lvbmzea._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/220913-wcbrsabhhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Executes dropped EXE
SystemBC
Malware Config
C2 Extraction:
146.70.101.80:4001
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8af0c846-05b2-4dd9-85eb-cc1b3ad28e9b
Unpacked files
SH256 hash:
52ba15d631672d977cd59aa37c20929bbaea09d263e5f29d0f7903c62a6b9e32
MD5 hash:
dad7a63822b346e93cad25967f04674b
SHA1 hash:
bcacfc82db546b5c50be7936c757c0a24661b547
Detections:
win_systembc_g0
Create hunting rule
Link:
https://www.unpac.me/results/cad2dfa3-835f-489b-974e-0a5aad930c27/
SH256 hash:
6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648
MD5 hash:
735b318d4a6fb60baec90df8f94116d8
SHA1 hash:
606bbb8b0dea392f0674db1b07b4a62110ecfb8b
Link:
https://www.unpac.me/results/cad2dfa3-835f-489b-974e-0a5aad930c27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2301794/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/309776/

Comments