MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
SHA3-384 hash: 2374b933c99c7f1aa65c2f2116ef8ef2243b841158b773a0f3a9048f76f9250f2abe7d4df1225da3fc671431211f1708
SHA1 hash: c01e5bc3e9dbb84a5b36841045055999fc0a16cf
MD5 hash: 902f14b6f32cc40a82d6a0f2c41208ec
humanhash: mars-fish-winter-delaware
File name:file
Download: download sample
Signature SystemBC
Create hunting rule
File size:999'936 bytes
First seen:2024-08-19 16:54:13 UTC
Last seen:2024-08-22 11:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:1Ibj07xMVrpydHnnDfiDw8PZIykCu3oxmv2GX:1+ukYxDqnZTlns2
Threatray 2'241 similar samples on MalwareBazaar
TLSH T1B42512686B9DC733D26D6776E1925100CFF48122E992E78E6CC461F4FC837C56A0F29A
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter Bitsight
Tags:exe SystemBC


Avatar
Bitsight
url: http://147.45.44.104/prog/66c3721bc46fe_Ernrnmkio.exe#14

Intelligence

File Origin
# of uploads :
3
# of downloads :
364
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-08-19 17:01:01 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/6d246341-e4a3-4255-b09c-28927c84e1e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.20691.17279.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c378e8e7ff3f5a063b91db
Tags:
Stealth Trojan
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/66c378ea9a458267e53ef2dd/reports/bca0cc0f-7db7-4161-9b2c-811c6827048c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c61a540-876e-4f09-8ff0-f4746d3f5ded
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1495158
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1495158 Sample: file.exe Startdate: 19/08/2024 Architecture: WINDOWS Score: 100 45 claywyaeropumps.com 2->45 49 Found malware configuration 2->49 51 Antivirus detection for URL or domain 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 7 other signatures 2->55 7 file.exe 1 4 2->7         started        11 afasdfga.exe 2 2->11         started        13 fvhc.exe 2 2->13         started        15 3 other processes 2->15 signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\afasdfga.exe, PE32 7->41 dropped 43 C:\Users\...\afasdfga.exe:Zone.Identifier, ASCII 7->43 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->57 59 Tries to detect virtualization through RDTSC time measurements 7->59 61 Injects a PE file into a foreign processes 7->61 17 file.exe 4 7->17         started        63 Multi AV Scanner detection for dropped file 11->63 65 Machine Learning detection for dropped file 11->65 20 afasdfga.exe 4 11->20         started        22 fvhc.exe 13->22         started        25 afasdfga.exe 15->25         started        27 qqlclpo.exe 15->27         started        signatures6 process7 dnsIp8 29 C:\ProgramData\aqfxwb\fvhc.exe, PE32 17->29 dropped 31 C:\ProgramData\...\fvhc.exe:Zone.Identifier, ASCII 17->31 dropped 33 C:\ProgramData\akqqlc\qqlclpo.exe, PE32 20->33 dropped 35 C:\...\qqlclpo.exe:Zone.Identifier, ASCII 20->35 dropped 47 claywyaeropumps.com 178.132.2.10, 4000, 49736, 49737 WORLDSTREAMNL Netherlands 22->47 37 C:\ProgramData\vwqobr\bhki.exe, PE32 25->37 dropped 39 C:\ProgramData\...\bhki.exe:Zone.Identifier, ASCII 25->39 dropped file9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2024-08-19 16:55:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qh4rayogkdbnt7pkw2u5rprcbkj5i34tbvoegxskadcrci3kjsva._file
Verdict:
malicious
Similar samples:
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858
SystemBC
1cce0e4c3b171f62ebdf5348a2d32d8c5bce25ae74c4a89f70012bb4ccfca5c1
SystemBC
1d7c6ed697ee011ad969d1d7c706d88a962584f87d543fcc77ee358c5bfb4509
SystemBC
7e32d7cb4afde72ccb3dbc97193c3bda96307789b068c6b8339b717869fa377c
SystemBC
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
SystemBC
abcdce91fde094dd2eeafa37e7cf5c8c9a880739b53ed0b882770cd55ee9fc52
SystemBC
ed3abbb92b588a5fea991fa017e66a84306cfc86ba0852c9005ea1a555b199f2
SystemBC
+ 2'231 additional samples on MalwareBazaar
Result
Malware family:
purelogstealer
Create hunting rule
Score:
  10/10
Tags:
family:purelogstealer discovery persistence stealer
Link:
https://tria.ge/reports/240819-ve4pxayhnm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
PureLog Stealer
PureLog Stealer payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2fcd8c65-84da-42ab-a2d3-95c5614d22af
Unpacked files
SH256 hash:
e283a0a51e5fea5d3b64a008e33d42b1e555b5702da9743fc79d744a1603513f
MD5 hash:
343578a6ef1ac36066ea2ec263cf5c78
SHA1 hash:
7c307503fd2ee3a297d2bd20f9e23574517d78ee
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g1
Create hunting rule
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
Parent samples :
e283a0a51e5fea5d3b64a008e33d42b1e555b5702da9743fc79d744a1603513f
534912622718c6547f15e57ad07e903e10ffc801f7764d2e1f27b4fca693813a
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
46e0bbdbdffa58d201e3aa377f77d4f85a7704a60042eaf13d5cedf70808e937
21aaa5319a6729df0581203a0782ead837b848387e44cd1844ca8e19882a50af
SH256 hash:
ff3880909605335faa5b2fa0a1d15acefc61b51fe1bb4b072920de28d8adc3d6
MD5 hash:
37b8b5d20ccab80c5cbe2d1350b1e6fc
SHA1 hash:
405bf845ef0ce03e10a8d66951801d6904a9697a
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
SH256 hash:
6068cedc63bf44019a7f0c6db8e54a43da5dbb7552e47cf7c9fa7fa5a5c868c0
MD5 hash:
01f93c0d667a9a80019b424399ffe971
SHA1 hash:
26c8b417efbb03b766e1983b9ca73566faab866c
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
SH256 hash:
52dc251bb369f9a87633d1116230a30ed20e4ac0b4a77b5cc1803806d6bf541d
MD5 hash:
cda90a17b0934d17b24829bbbf7e1710
SHA1 hash:
35e46be84d0a8f2a003930ea774725746511c9f1
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
SH256 hash:
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
MD5 hash:
902f14b6f32cc40a82d6a0f2c41208ec
SHA1 hash:
c01e5bc3e9dbb84a5b36841045055999fc0a16cf
Link:
https://www.unpac.me/results/05574488-b80e-4968-b271-4b0ff495c851/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SystemBC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3116128/
  
URLhaus
https://urlhaus.abuse.ch/url/3117466/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments