MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
SHA3-384 hash: ae7570d1ef424500e50121ac85f125d7f8e1372ed2b46a838cc900987e43a64b6164e2e6053dfadcea715e4e13279e24
SHA1 hash: 2f0476f22e05455ff4e56171438d16ff87291ea5
MD5 hash: b1d156c496219977a9cd4355094613f5
humanhash: table-pluto-chicken-eleven
File name:b1d156c496219977a9cd4355094613f5.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:1'141'848 bytes
First seen:2023-04-11 09:09:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b08e8c3977bf4e3460f254a90ce4250 (1 x SystemBC)
ssdeep 24576:kob9rHzThqel1mK5XJent7IL+PYL65XPr5JfQZZ0WgisS:kE9TTRlvS5YL6ptJfQZiWg3S
Threatray 1'196 similar samples on MalwareBazaar
TLSH T10D35CFBE32BF8F52F2622B746607C7A9603387522215F0D2913E19D374CE1AF56CB685
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b676e0d0a6e671b2 (1 x SystemBC)
Reporter abuse_ch
Tags:exe signed SystemBC

Code Signing Certificate

Organisation:jotform.com
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-10T00:00:00Z
Valid to:2023-10-20T23:59:59Z
Serial number: f4647a8b07b0867479e55538b0f4ab56
Thumbprint Algorithm:SHA256
Thumbprint: 68028ec62d6bef2faed8f36f022afe81dd603cae4c06e99497a98b4293ad11b4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1d156c496219977a9cd4355094613f5.exe
Verdict:
Malicious activity
Analysis date:
2023-04-11 09:11:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2691feb2-93cf-4417-b5a7-265879ffe74c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381378/
Detection(s):
SecuriteInfo.com.Variant.Babar.162294.25903.27516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77338/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/643523ee9868a43a8d2d0923/reports/9e592b5c-6b8e-4a26-aeb8-b089cbfad558/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b0527cf-0f22-4052-b3c7-fd79b64edc0f
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1211692
Signature
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 844607 Sample: Boqld4hbTw.exe Startdate: 11/04/2023 Architecture: WINDOWS Score: 76 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected SystemBC 2->49 51 C2 URLs / IPs found in malware configuration 2->51 53 Machine Learning detection for sample 2->53 7 Boqld4hbTw.exe 10 2->7         started        12 Capeteka dileket xehe quele quipabim cokaho.exe 6 2->12         started        process3 dnsIp4 43 igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q 7->43 31 Capeteka dileket x...quipabim cokaho.exe, PE32 7->31 dropped 55 Self deletion via cmd or bat file 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 14 cmd.exe 1 7->14         started        17 Capeteka dileket xehe quele quipabim cokaho.exe 6 7->17         started        20 schtasks.exe 1 7->20         started        45 igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q 12->45 file5 signatures6 process7 dnsIp8 59 Uses ping.exe to check the status of other devices and networks 14->59 22 PING.EXE 1 14->22         started        25 conhost.exe 14->25         started        27 chcp.com 1 14->27         started        33 212.8.244.5, 4001, 49705, 49707 ITLDC-NLUA Russian Federation 17->33 35 45.138.74.200, 4001, 49704, 49706 HOSTGLOBALPLUS-ASRU Russian Federation 17->35 37 igvjzqqm3pjqfabur3tp3pra.zfftzsfg6q 17->37 29 conhost.exe 20->29         started        signatures9 process10 dnsIp11 39 127.0.0.1 unknown unknown 22->39 41 192.168.2.1 unknown unknown 22->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3/
Threat name:
Win32.Trojan.Doubleback
Create hunting rule
Status:
Malicious
First seen:
2023-04-07 13:41:00 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uk7ubgfwlyhpxc6jzotqz626g3ib3zpvshiqbo2ctjo4h33mhpbq._file
Verdict:
malicious
Similar samples:
01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102
SystemBC
040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e
SystemBC
0ca246e6325bfa1bd4aa4f743a259d4c3553a316a44665a5a21d5d5132b893c0
SystemBC
0cb9ffbc77206540a648b96e790d884f5662c114e831533e1eb31b63157e3953
SystemBC
22c4a9d47db8cf8183a9b91032c08e9592f37aa4e64a97e3059339698fc0e415
SystemBC
22d7e40c7ecc7fabf7f7b562e2d476dd0697e0f0482ce646de7771b44c29b1e9
SystemBC
3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
SystemBC
7a5870c5e7f9253deca223afcbf295a99ad0cc014543b26e162e56ad2f22a36e
SystemBC
9d5670638fac6e9e5670cd6985894e9b2fcf1fb334973e5e3424fb246f835e11
SystemBC
c29ac11a91f5f0d9af18e4c5845abb6e024fe682e1287e76ccd6efc218240269
SystemBC
+ 1'186 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/230411-k42lqsdb7z/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
SystemBC
Malware Config
C2 Extraction:
45.138.74.200:4001
212.8.244.5:4001
Unpacked files
SH256 hash:
62bbf30d3547f29cc09d8c744da9609c957e17a50c155d1d1e1e78158084d2c3
MD5 hash:
0b90302313e1e8097ff58ae32cd21d93
SHA1 hash:
91575f8903b8c4067f581b61eb116972ed2d7f86
Link:
https://www.unpac.me/results/e8063eb9-e974-4c79-ab09-7bb56b26dc64/
SH256 hash:
a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
MD5 hash:
b1d156c496219977a9cd4355094613f5
SHA1 hash:
2f0476f22e05455ff4e56171438d16ff87291ea5
Link:
https://www.unpac.me/results/e8063eb9-e974-4c79-ab09-7bb56b26dc64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381378/

Comments