MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
SHA3-384 hash: 315121c843ddfe655b216951b083480359c7cef2a1c0cc59604456cfe9423e855fde76d118976d2b585039817965b444
SHA1 hash: 2704339f5dc0a824b08b978ccf324cc99231b406
MD5 hash: 1af0e12fc38a64654bce554612545b34
humanhash: beryllium-equal-skylark-cold
File name:1af0e12fc38a64654bce554612545b34.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'028'128 bytes
First seen:2024-12-16 14:28:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:io23milEV1TtrBxLdx+WjQw8cSh638FF3HEh/LEVbfGf:W2RrBfxzMh6sFtkh/LEbfGf
Threatray 5'870 similar samples on MalwareBazaar
TLSH T1C72523186B8D2131C9FD38F7D07AE471277981A64413C77EA498D2658A03FE5BE8732E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
421
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
241127-xqsswsslej_pw_infected.zip
Verdict:
Malicious activity
Analysis date:
2024-12-16 11:37:57 UTC
Tags:
arch-exec loader github telegram opendir auto asyncrat vidar stealer quasarrat lumma sliver miner payload hausbomber dcrat evasion amadey botnet jeefo rat njrat bladabindi neshta remcos tas17 upx mouseloader discord xworm meterpreter meduzastealer
Link:
https://app.any.run/tasks/f7345c34-d409-44f5-9b90-3c2bdd8ac2a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MulDrop28.52105.32223.32443.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67603bca653a8698dfd474cc
Tags:
injection autorun virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a window
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coroxy packed packed packer_detected
Link:
https://www.filescan.io/uploads/67603933acd38d01e4848487/reports/02d4bec0-df27-489c-8de5-51f0ba9d4b64/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/133652e0-e809-41a6-a4cf-974b5e3874ee
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1576156
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a/
Threat name:
ByteCode-MSIL.Trojan.SystemBC
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 14:29:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pg4fss2tubiwiu67kadsocci7qqbr5rqw72prd7ljpvm2qqo3a5a._file
Verdict:
malicious
Label(s):
sorano
Create hunting rule
Similar samples:
1fb9f279263c252a09f12b69c7238c18d2325f7cf7250ebe24ad9149abe62cf4
SystemBC
5c8fb1ba4d14fb9a54b1db0a7b9e6a8c83bc013494cb10fbd9f8bebe05a36b36
SystemBC
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
SystemBC
79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
SystemBC
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
SystemBC
d7c59a22446f1c200c078a6e38131c755e1869717b939fa54b53360af4d2a059
SystemBC
error
SystemBC
fceb84f518a4cd354bb4ca4e4d061c9aa00f3baa38e0923b52b14d7c146e06da
SystemBC
+ 5'860 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc discovery trojan
Link:
https://tria.ge/reports/241216-rs1zdssnd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Systembc family
Malware Config
C2 Extraction:
wodresomdaymomentum.org
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0b170820-a2ad-4fc0-b561-a6eb515340dc
Unpacked files
SH256 hash:
bf087d56cbe71f9e5c11b7519cc8d0cee301242e79625f4d695630ffe47c700c
MD5 hash:
b6c82ba6ed0722b18a6c3b087a9be60b
SHA1 hash:
d6a9d00a39507a5925cfe929803c1a8e22fccda6
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g1
Create hunting rule
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
Parent samples :
79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
c477f22f36f0c7e272e694e0e630996f6bfdbf5ba93296dabe63581ab8ca96f6
9b1fb523aeaca79304a5433fdc73c03990472b5d7c1c91d083bc02ab1da1c19b
e3cb8ecc9db3aba3be4aa8e721b5415ec26437fd4c2d0768af692f7cc39ec12a
SH256 hash:
1f7fa527077288bf52b524c60052536b79a98e4d2979daf90e3693d603a35e9d
MD5 hash:
eb6b65f688958f68f0feae80bc3edaaf
SHA1 hash:
b81af156512dff3d372b5445efac97656efc17d7
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
SH256 hash:
3f62809bc5df0d19f39db1be59421f5461753217f7a0becfd694e52b10760862
MD5 hash:
498e0857fb2a9b2d3b76564b83b25c56
SHA1 hash:
06e414932bcf42d826a6845577492a84ff3179f8
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
SH256 hash:
03724a48f742d30a0931296959c51c2a6354c67a04d8a0a97e01175b5ad66298
MD5 hash:
cbe91766c028ab26f7dfa44129cccf06
SHA1 hash:
6a71a70b970cf23cc8d8cd6713759eb139a18236
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
SH256 hash:
79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a
MD5 hash:
1af0e12fc38a64654bce554612545b34
SHA1 hash:
2704339f5dc0a824b08b978ccf324cc99231b406
Link:
https://www.unpac.me/results/4eb30e52-e033-403f-9f00-74ad0d4a14cd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 79b8594b53a0516453df5007270848fc2018f630b7f4f88feb4beacd420ed83a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3352039/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments