MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
SHA3-384 hash: aa5d940aef06a76b33a8359d8afccb9ae850bcaee912f74ffae29d0e8fba6ff02923d9d66937587e1b707cadb0f9db65
SHA1 hash: fc455d1c0ab2653c146a277e4e246a4e3e5ba0c2
MD5 hash: 9cc2a0c88851f241b01efa7e9372f32b
humanhash: jupiter-saturn-romeo-equal
File name:F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:245'760 bytes
First seen:2024-07-24 23:13:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ed1b2792ced7a8e7bb849a84d01e5fcb (9 x Smoke Loader, 5 x RedLineStealer, 5 x Stop)
ssdeep 3072:spKr2asc3+9yYO1jkLp8x5IiCx//9IiGCH:YxQnyLeWVA
Threatray 11 similar samples on MalwareBazaar
TLSH T1F034D0227680D032C48B1A717439C6AC9EBED93117B5094F37A9067E5F313D1AABB74E
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter Anonymous
Tags:exe SystemBC


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
287
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Trojan.Generic-9942495-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a18abeae21d7902eafd765
Tags:
Execution Generic Network Static Stealth
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Changing an executable file
Сreating synchronization primitives
Modifying an executable file
Sending an HTTP GET request to an infection source
Creating a file
Creating a file in the Windows subdirectories
Searching for synchronization primitives
Adding an access-denied ACE
Running batch commands
Creating a process with a hidden window
Connection attempt
Query of malicious DNS domain
Connection attempt to an infection source
Infecting executable files
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc shell32
Link:
https://www.filescan.io/uploads/66a18abb9149fd55f9901ffb/reports/7bee3f81-3a87-46cf-8f92-c3b7af37d36c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83d42371-1fdd-49ef-88ec-84f4ef908220
Result
Threat name:
Bdaejec, SystemBC
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1480958
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Yara detected Bdaejec
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1480958 Sample: F891E10C9A7B6D0CBBBB6B3D103... Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 47 ddos.dnsnb8.net 2->47 49 bg.microsoft.map.fastly.net 2->49 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 13 other signatures 2->71 9 F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe 5 2->9         started        13 ewueorx.exe 1 2->13         started        signatures3 process4 dnsIp5 37 C:\Users\user\AppData\Local\Temp\rrkVgz.exe, PE32 9->37 dropped 39 C:\ProgramData\ldaavve\ewueorx.exe, PE32 9->39 dropped 41 C:\...\ewueorx.exe:Zone.Identifier, ASCII 9->41 dropped 73 Detected unpacking (changes PE section rights) 9->73 75 Detected unpacking (overwrites its own PE header) 9->75 77 Found evasive API chain (may stop execution after checking mutex) 9->77 79 Tries to detect virtualization through RDTSC time measurements 9->79 16 rrkVgz.exe 16 9->16         started        21 WerFault.exe 21 16 9->21         started        51 31.44.185.11, 4001, 49728, 49732 PINDC-ASRU Russian Federation 13->51 53 31.44.185.6, 4001, 49708, 49730 PINDC-ASRU Russian Federation 13->53 43 C:\Windows\Temp\rrkVgz.exe, PE32 13->43 dropped 81 Antivirus detection for dropped file 13->81 83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 23 rrkVgz.exe 1 29 13->23         started        file6 signatures7 process8 dnsIp9 45 ddos.dnsnb8.net 44.221.84.105, 49699, 49700, 49701 AMAZON-AESUS United States 16->45 31 C:\Program Files\7-Zip\Uninstall.exe, PE32 16->31 dropped 33 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 16->33 dropped 35 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 16->35 dropped 55 Antivirus detection for dropped file 16->55 57 Multi AV Scanner detection for dropped file 16->57 59 Detected unpacking (changes PE section rights) 16->59 61 Infects executable files (exe, dll, sys, html) 16->61 25 WerFault.exe 19 16 16->25         started        63 Machine Learning detection for dropped file 23->63 27 cmd.exe 1 23->27         started        file10 signatures11 process12 process13 29 conhost.exe 27->29         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
Detection:
systembc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 23:14:13 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
36 of 38 (94.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unkib6j22tin4gobdg4qh5rrpteolhtxtnsu5shuxvo7iu2sm7da._file
Verdict:
malicious
Similar samples:
055bb90b6b1355dfbd03fc77826720e14b37934a078fa1caa1ef0e47e04a99e8
SystemBC
11c509649c391209ce09bc178ebffcfc7cbfcf038ce699aebfd1303191c136aa
SystemBC
69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d
SystemBC
9b2d89057155cd1cec731e83a0946cf95772134f0069da737fa30935b5a9b325
SystemBC
a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
SystemBC
e77eb0d03b445cf74f20c2614b1135b62da61ecf0d7c48194b71b8f73297272d
SystemBC
+ 1 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc aspackv2 discovery trojan
Link:
https://tria.ge/reports/240724-27zd8awdme/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
SystemBC
Malware Config
C2 Extraction:
31.44.185.6:4001
31.44.185.11:4001
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73058abc-5267-434e-9a09-8a127820ea56
Unpacked files
SH256 hash:
b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14
MD5 hash:
5403c11319b16a89e7665141f8bff9fb
SHA1 hash:
9c9ae4bdf521749f23267644e7346f7ee2ad98ab
Detections:
SystemBC
Create hunting rule
win_systembc_g1
Create hunting rule
EXT_MAL_SystemBC_Mar22_1
Create hunting rule
SystemBC_Config
Create hunting rule
win_systembc_20220311
Create hunting rule
MiniTor
Create hunting rule
Link:
https://www.unpac.me/results/c11123c4-832a-4a5b-bf08-4e24f8b8ac50/
Parent samples :
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
055bb90b6b1355dfbd03fc77826720e14b37934a078fa1caa1ef0e47e04a99e8
69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d
9b2d89057155cd1cec731e83a0946cf95772134f0069da737fa30935b5a9b325
e77eb0d03b445cf74f20c2614b1135b62da61ecf0d7c48194b71b8f73297272d
11c509649c391209ce09bc178ebffcfc7cbfcf038ce699aebfd1303191c136aa
a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
SH256 hash:
96e79e9e1d6c8a145bdd47c8bf8db4af250da91271be543d59fdf2ebced6aaeb
MD5 hash:
fd4136ac435193fea3652b1fd7a6c76a
SHA1 hash:
6ba446045fa6288c71dd904357e6a0efee901716
Detections:
win_unidentified_045_auto
Create hunting rule
win_unidentified_045_g0
Create hunting rule
Link:
https://www.unpac.me/results/c11123c4-832a-4a5b-bf08-4e24f8b8ac50/
SH256 hash:
a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
MD5 hash:
9cc2a0c88851f241b01efa7e9372f32b
SHA1 hash:
fc455d1c0ab2653c146a277e4e246a4e3e5ba0c2
Link:
https://www.unpac.me/results/c11123c4-832a-4a5b-bf08-4e24f8b8ac50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

SystemBC

Executable exe a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleWindowInfo
KERNEL32.dll::GetConsoleAliasesLengthW
KERNEL32.dll::GetConsoleAliasesA
KERNEL32.dll::GetConsoleTitleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::MoveFileW
KERNEL32.dll::ReplaceFileA

Comments