MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f
SHA3-384 hash: 3386813c8e3a39886d943f9be90bff869b7f4343dcfc945b7974b4fb4959a4fc99502705841fb467b74af9f274395042
SHA1 hash: 878bb73586db91ab9867d4bda793377eff1344a1
MD5 hash: 9ff723d163e9396f0864cdb77508e8f3
humanhash: violet-zebra-bacon-november
File name:9ff723d163e9396f0864cdb77508e8f3.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:417'936 bytes
First seen:2023-01-22 17:11:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f953e4227084ccbf861a9e44f102285 (1 x SystemBC)
ssdeep 3072:9Fs0W8pkw2l2GbTnK4I/qvk4j7/2oDnbA6I9Drxi6NxTY9qo+v5YF4WqH+:9rZpkT2GXnY/qvk4Wqn3win97++
Threatray 16'619 similar samples on MalwareBazaar
TLSH T18E9419E61EB4D122F2704D7857D418A7E26EFE632827865B31443F1D1B72CD2C8B6276
TrID 46.8% (.OCX) Windows ActiveX control (116521/4/18)
33.0% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
5.2% (.SCR) Windows screen saver (13097/50/3)
4.2% (.EXE) Win64 Executable (generic) (10523/12/4)
2.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 66caae06a606acc8 (1 x SystemBC)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ff723d163e9396f0864cdb77508e8f3.exe
Verdict:
Malicious activity
Analysis date:
2023-01-22 17:17:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7470e4ff-572a-40de-ab7d-9ed369154f9f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355640/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for analyzing tools
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm greyware hacktool obfuscated overlay packed
Link:
https://www.filescan.io/uploads/63cd6e642d4f6d560e225c07/reports/548e61ea-c8a0-4221-8db0-a6e10cfd8540/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/634bba26-f706-4989-901a-42b2774ada37
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1156547
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found potential dummy code loops (likely to delay analysis)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-01-22 02:41:40 UTC
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7vt5oa7wslmq3xbk6hfplackhrykqdbhi5fudk7hu3c7ka2ne7q._file
Verdict:
malicious
Similar samples:
045d257fff1a2678715e67b6ce278456bd264514598fd51a3fc8023d58f64c3a
SystemBC
068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd
SystemBC
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
SystemBC
2ee350a3c3c03283a1458ff5e3e142d91b46a8fecd846ec8df0d1edca7c1e4cf
SystemBC
3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1
SystemBC
47c0f6e80c644fa74264044ae7bcade1cad8e5378729de6fe2de43ad8f23dcf6
SystemBC
804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SystemBC
a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808
SystemBC
+ 16'609 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230122-vqvalsgf46/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
245c5e43b44c159b932ad9798e0a740950b2aa5af73015166910d34898d8728c
MD5 hash:
219ad9a40436fc66d93b2a8be88a687f
SHA1 hash:
b8c695102634462e53660ad12d47b5bf1bbe8908
Link:
https://www.unpac.me/results/46e8d1d5-54cd-4a38-b5c2-c0864b04e931/
SH256 hash:
77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f
MD5 hash:
9ff723d163e9396f0864cdb77508e8f3
SHA1 hash:
878bb73586db91ab9867d4bda793377eff1344a1
Link:
https://www.unpac.me/results/46e8d1d5-54cd-4a38-b5c2-c0864b04e931/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 77eb3eb81fb496c86ee1578e57ac0251e38540613a3a5a0d5f3d362fa81a693f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2512371/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355640/

Comments