MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e
SHA3-384 hash: e7aaa90ba1c714e5b8cee5127891d017409f6bdda923bdf3cc8d9568be5192600f17be817bc97a7fd947272c84f2ccef
SHA1 hash: 648204dc24082ffa498f5627e917f6f64f306730
MD5 hash: 3db26170aa5c06b54c8d60374f59251f
humanhash: vermont-mobile-william-michigan
File name:3db26170aa5c06b54c8d60374f59251f.bin.dll
Download: download sample
Signature SystemBC
Create hunting rule
File size:16'896 bytes
First seen:2024-02-24 18:50:12 UTC
Last seen:2024-02-24 20:25:37 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ea47177789465ada573c717425469cd1 (3 x SystemBC)
ssdeep 192:RniGhkfGBpFH+Z0hZ1WW8B52daFX4/PqfZSCG0GGGdWoBrSKja1cnHs:Y/fAeZ0hZwW42doxR3gWoBrtW1c
Threatray 22 similar samples on MalwareBazaar
TLSH T19C72F7AB386085B5C21586B43E9F6761907D65724234A029EFE04F1C3F7DAA3E726F13
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:dll SystemBC


Avatar
abuse_ch
SystemBC C2:
173.44.141.149:4001

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/477624/
Detection(s):
SecuriteInfo.com.BackDoor.Coroxy.17.10680.1281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coroxy evasive lolbin masquerade shell32 systembc
Link:
https://www.filescan.io/uploads/65da3a97781f57164641f583/reports/d996a864-c47a-4d5c-a671-548c427f7e7e/overview
Verdict:
Malicious
Labled as:
Trojan.SystemBC
Link:
https://www.hybrid-analysis.com/sample/7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88efe508-8016-4a6f-bd38-07191841b9a2
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1398225
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1398225 Sample: YtvUgU78Pv.dll Startdate: 24/02/2024 Architecture: WINDOWS Score: 88 23 Snort IDS alert for network traffic 2->23 25 Found malware configuration 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 3 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 conhost.exe 7->13         started        process5 15 rundll32.exe 9->15         started        dnsIp6 19 173.44.141.149, 4001, 49704, 49705 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 15->19 21 System process connects to network (likely due to code injection or exploit) 15->21 signatures7
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e
Detection:
systembc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2024-02-24 18:51:05 UTC
File Type:
PE (Dll)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p23p57nqhgndigfgyn27inxbuthff5ohqo5kpro4skzzehr73epa._file
Verdict:
malicious
Similar samples:
2eedba5f5dbbee52fd6edcb5039ebd96e18a66d79f622fa794b00061a412cbce
SystemBC
2f120d396f71ff9adb8fe11f0b529e8ddea8355837d955fed83bb0ae2a35de84
SystemBC
4dae3b84eeb5e36c144f9fad2f2b06d9e82381cda6b1f043033cf3644f339558
SystemBC
7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e
SystemBC
+ 12 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc
Link:
https://tria.ge/reports/240224-xhgqnabd74/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
C2 Extraction:
173.44.141.149:4001
153.92.222.162:4001
Unpacked files
SH256 hash:
7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e
MD5 hash:
3db26170aa5c06b54c8d60374f59251f
SHA1 hash:
648204dc24082ffa498f5627e917f6f64f306730
Detections:
SystemBC
Create hunting rule
win_systembc_g0
Create hunting rule
EXT_MAL_SystemBC_Mar22_1
Create hunting rule
win_systembc_20220311
Create hunting rule
Link:
https://www.unpac.me/results/3e343a8b-55d4-4bbb-97eb-e6e87749ac0c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SystemBC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7eb6fefdb0399a3418a6c375f436e1a4ce52f5c783baa7c5dc92b3921e3fd91e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/477624/

Comments