MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2
SHA3-384 hash: fd21cc9b059c726c9667b3c9ceae0b4dbeab23ad680cdb9ab90effd68f5f78a0f192df58ac6f3c34644685c3911925fb
SHA1 hash: 7ae124c20bb5df8720b6470dd3b55b5eb741a81d
MD5 hash: ad10419a35918a3ea6ab25a790bbda12
humanhash: item-tango-nine-carbon
File name:8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:176'128 bytes
First seen:2022-06-09 15:48:22 UTC
Last seen:2022-06-09 16:39:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4681ca2694bc7221d2898efdb737c063 (6 x Amadey, 1 x Smoke Loader, 1 x SystemBC)
ssdeep 1536:THbcYgu0361gmWUeJ5co5IUzcm9LyhgEtGPycDdgpnhZMav22pBz:TbcYmq1p1o5p39clMdgNhuaO2pB
Threatray 189 similar samples on MalwareBazaar
TLSH T1EC04BF20B7E1C033C36356303861E6635A7A79C197758ACB37B817B95F702D167BA3A2
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5c599a3ce0c3c850 (43 x Stop, 37 x RedLineStealer, 36 x Smoke Loader)
Reporter abuse_ch
Tags:exe SystemBC


Avatar
abuse_ch
SystemBC C2:
45.227.255.167:4001

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.227.255.167:4001 https://threatfox.abuse.ch/ioc/682041/

Intelligence

File Origin
# of uploads :
2
# of downloads :
326
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ee27c9d844193ddb19f0ee0d5f1ed780.exe
Verdict:
Malicious activity
Analysis date:
2022-06-09 14:54:56 UTC
Tags:
trojan amadey loader systembc opendir stealer
Link:
https://app.any.run/tasks/ae7add6c-1714-46eb-9e39-72e119b8f168

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/278432/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.9723.16484.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/62a2168a5dc88d35716f72fa/reports/68d65a95-71cc-4631-adbe-40ee24f20fb5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fd05fc2d-0bdc-4dd6-a71e-cf3e1d69cd10
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1010154
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2/
Threat name:
Win32.Ransomware.StopCrypt
Create hunting rule
Status:
Malicious
First seen:
2022-06-09 15:03:53 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rko4732vaytcve7olfrjidfkvuaofios4onfai7zah3uha5hwxba._file
Verdict:
malicious
Similar samples:
43036d7ee14ac6bb29c0067fa0d6b497ed09cbd6862a8e8d0d8e54b18f6bbe8c
SystemBC
595e1545c53d27fb1315e70b241e66f44b28a49be59a717ca4936d167e121470
SystemBC
61499704920ee633ffb2baab36eb8eb70d5e0426bca584f9a4a872e4b930c417
SystemBC
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
SystemBC
c9dc59066fe4cd939a7c33572a4db6918e18e1abc76c897abd39b127e7575e18
SystemBC
e2cc138b0051fc6d2dce76941e2190d964c51754dac13705f63dad2941ccbba7
SystemBC
fe6d6d15e0ffa8717c2a5ac80b7f117e853c05cd642c746bb2eab0f70416150d
SystemBC
+ 179 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc suricata trojan
Link:
https://tria.ge/reports/220609-s9bw9shfbp/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
SystemBC
suricata: ET MALWARE Win32/SystemBC CnC Checkin
Malware Config
C2 Extraction:
45.227.255.167:4001
Unpacked files
SH256 hash:
3e38751829c1818dab29b35ee3d0288f32860e6ac5df57f6f12fbd0577987b4e
MD5 hash:
542657ec1c61704a7ae312a3dc1839b3
SHA1 hash:
425d1c7f8c0a76a5629d00a2bcb18c3718385594
Link:
https://www.unpac.me/results/f5aba447-ca47-4453-88d4-7f720c1d1c0a/
SH256 hash:
8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2
MD5 hash:
ad10419a35918a3ea6ab25a790bbda12
SHA1 hash:
7ae124c20bb5df8720b6470dd3b55b5eb741a81d
Link:
https://www.unpac.me/results/f5aba447-ca47-4453-88d4-7f720c1d1c0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe 8a9dcfef5506262a93ee5962940caaad00e2a1d2e39a5023f901f74383a7b5c2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/278432/
  
URLhaus
https://urlhaus.abuse.ch/url/2232084/
  
Delivery method
Distributed via web download

Comments