MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA3-384 hash: c721eaef25139918e97f1fa125162432fdb9adec050a82cb6d655ce7e5d9f92a133f1fb97ef68029745e58e28f5f02fd
SHA1 hash: a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
MD5 hash: c48a400ccdb846dfeecdb8564ed29e6a
humanhash: ohio-march-mars-mirror
File name:file
Download: download sample
Signature SystemBC
Create hunting rule
File size:5'808'578 bytes
First seen:2023-04-25 14:02:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 483f0c4259a9148c34961abbda6146c1 (17 x ValleyRAT, 8 x AsyncRAT, 7 x QuasarRAT)
ssdeep 98304:097RqNuY64Jd70rj4uJUDFsPDDLuTw/mH8JVOYN8G3fPBuY5VGfiVC2jyi/HKqP6:+sNukdU4QN/mcJPVBuMAKsgqqP54
TLSH T173463311F3D35570EA2A55BACC1255789E1A71E912E830772E3CEB0F19BC185C9BFAB0
TrID 73.1% (.EXE) Inno Setup installer (109740/4/30)
9.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
7.0% (.EXE) Win64 Executable (generic) (10523/12/4)
3.0% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
File icon (PE):PE icon
dhash icon 1000000000000000 (1 x SystemBC)
Reporter jstrosch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-25 14:04:09 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e3225b07-8193-44ae-b3b4-79d8d478f2dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/384809/
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

SecuriteInfo.com.Adware.Siggen.31863.24335.23560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Creating a process with a hidden window
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Enabling the 'hidden' option for recently created files
Creating a file
Running batch commands
Sending a custom TCP request
Connecting to a non-recommended domain
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/81403/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6447f0590bac81e8385a2ccd/reports/317d842c-c0d2-4b18-be79-5ea0548fe6bc/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aeacb736-fd4e-4969-8441-0aa945d558a2
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1220765
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 853718 Sample: file.exe Startdate: 25/04/2023 Architecture: WINDOWS Score: 100 56 Found malware configuration 2->56 58 Antivirus detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 4 other signatures 2->62 10 file.exe 2 2->10         started        14 lmsass.scr 2->14         started        process3 file4 52 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 10->52 dropped 66 Obfuscated command line found 10->66 16 file.tmp 3 5 10->16         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->68 70 Hides threads from debuggers 14->70 19 lmsass.scr 14->19         started        signatures5 process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->38 dropped 40 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 16->40 dropped 21 file.exe 2 16->21         started        process8 file9 42 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 21->42 dropped 64 Obfuscated command line found 21->64 25 file.tmp 3 9 21->25         started        signatures10 process11 file12 44 C:\Users\user\AppData\...\lmsass.scr (copy), PE32 25->44 dropped 46 C:\Users\user\AppData\...\is-SU062.tmp, PE32 25->46 dropped 48 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 25->48 dropped 50 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 25->50 dropped 28 lmsass.scr 25->28         started        31 cmd.exe 1 25->31         started        process13 signatures14 72 Detected unpacking (changes PE section rights) 28->72 74 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->74 76 Found evasive API chain (may stop execution after checking mutex) 28->76 78 3 other signatures 28->78 33 lmsass.scr 28->33         started        36 conhost.exe 31->36         started        process15 dnsIp16 54 5.45.73.25, 4246, 49699 SERVERIUS-ASNL Russian Federation 33->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e/
Threat name:
Win32.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2023-04-20 08:32:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v4lhswc4eynfureqw6ci4zoulnv4amh2cjhhltgmflbi4yk5aqpa._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/230425-rb5agsag33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
SystemBC
Malware Config
C2 Extraction:
5.45.73.25:4246
poolsforyour.com:4246
Unpacked files
SH256 hash:
a0a0cbdf94cedc05d26326037c2ea91415e768fec3acc16961de9075d1c228fc
MD5 hash:
b0a0cce6e5867907cd448877a62ff774
SHA1 hash:
3148de857c29b31a99a7ae15ff521d1f1eb24561
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/5ebba829-10ad-45ae-a5d9-cb44696b5e5d/
SH256 hash:
6d74c948e8a2019dcee679dea740008d0db3e7cd8e0666288f512db81e02d8a5
MD5 hash:
7d62348b48f680e5ad8679ef4c4af2fa
SHA1 hash:
72ef60c99f5d7757d7aa6fec7afe92f5908072b2
Link:
https://www.unpac.me/results/5ebba829-10ad-45ae-a5d9-cb44696b5e5d/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/5ebba829-10ad-45ae-a5d9-cb44696b5e5d/
SH256 hash:
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
MD5 hash:
52b26165c6e3716fb6a13f90199b8945
SHA1 hash:
af0276a652e8ee18b2275d1182305c78275852bb
Link:
https://www.unpac.me/results/5ebba829-10ad-45ae-a5d9-cb44696b5e5d/
SH256 hash:
af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
MD5 hash:
c48a400ccdb846dfeecdb8564ed29e6a
SHA1 hash:
a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
Link:
https://www.unpac.me/results/5ebba829-10ad-45ae-a5d9-cb44696b5e5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2614439/
Cape
Cape
https://www.capesandbox.com/analysis/384809/

Comments