MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257
SHA3-384 hash: f6b23bb65d651df7e5e96e095f2ebd315431318587683c3db11ac10fb72dba4fb4d71b7bddf3e517f31d66de3bc79a78
SHA1 hash: 84e8b4ecdc853318c2e1aba3cbc471bf13764cd6
MD5 hash: 19b9f2724e5da3090ec0c7e1a106849d
humanhash: carolina-artist-solar-oklahoma
File name:B39010F72FE4FDD3C6FC1D8387FB4391E804694A3749C.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:5'764'672 bytes
First seen:2024-05-29 15:45:12 UTC
Last seen:2024-05-29 16:29:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 608505ff1e7e27ff4a42ea9c4e9f4192 (5 x LummaStealer, 3 x NetSupport, 2 x ConnectWise)
ssdeep 98304:UhxzP3MqBfTluw4yctnfZeos5HCZJG/QXGCWxuILaBHFwRVa4S7b:U/PdfTUHNyiZJGDublMX2b
TLSH T138469E31324AC52FD96211B0192C9A9F512CBE790BB255CBB3CC2E7E1BB55C21736E27
TrID 68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.5% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 696a6ee2b2b2c2cc (18 x RedLineStealer, 17 x LummaStealer, 16 x CoinMiner)
Reporter abuse_ch
Tags:exe signed SystemBC

Code Signing Certificate

Organisation:Winprogs
Issuer:Winprogs
Algorithm:sha256WithRSAEncryption
Valid from:2023-10-25T12:09:29Z
Valid to:2024-10-25T12:29:29Z
Serial number: 2a2d4c3a3739628e44bfb05dcfc342f6
Thumbprint Algorithm:SHA256
Thumbprint: b79a03bce1069236930cb1465831c6b6c4b70022970b48b932b17e404eec9e8b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
SystemBC C2:
5.161.81.32:4001

Intelligence

File Origin
# of uploads :
2
# of downloads :
613
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257.exe
Verdict:
Malicious activity
Analysis date:
2024-05-29 15:46:10 UTC
Tags:
systembc miner proxy botnet
Link:
https://app.any.run/tasks/cc90603b-5e33-4b48-9d29-a2940910a539

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.5754.31007.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66574dccaf950bab634f9160win7simulatehigh_evasion
Tags:
Encryption Execution Static Runner
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Searching for the window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Moving a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Running batch commands
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin msiexec overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66574dbf32eca5b28000c3fb/reports/a6303fa0-5994-420a-b227-d33b75f6083a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6abf6496-8466-4d39-8fb0-9601e153291e
Result
Threat name:
Babadeda, PureLog Stealer, SystemBC, zgR
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1449081
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops large PE files
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AntiVM3
Yara detected Babadeda
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SystemBC
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1449081 Sample: B39010F72FE4FDD3C6FC1D8387F... Startdate: 29/05/2024 Architecture: WINDOWS Score: 100 89 wprogs.top 2->89 91 windowsupdatebg.s.llnwi.net 2->91 93 raw.githubusercontent.com 2->93 111 Snort IDS alert for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 15 other signatures 2->117 12 msiexec.exe 95 63 2->12         started        16 networkbroker.exe 2->16         started        18 SurrogateServerIntoSvc.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 file5 71 C:\Windows\Installer\MSICD93.tmp, PE32 12->71 dropped 73 C:\Windows\Installer\MSICBAD.tmp, PE32+ 12->73 dropped 75 C:\Windows\Installer\MSICB8D.tmp, PE32 12->75 dropped 83 22 other malicious files 12->83 dropped 133 Drops executables to the windows directory (C:\Windows) and starts them 12->133 22 MSICB4C.tmp 1 12->22         started        24 MSICBAD.tmp 12->24         started        26 msiexec.exe 13 43 12->26         started        37 4 other processes 12->37 135 Antivirus detection for dropped file 16->135 137 Multi AV Scanner detection for dropped file 16->137 139 Machine Learning detection for dropped file 16->139 30 networkbroker.exe 16->30         started        141 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->141 77 C:\Users\user\AppData\Local\...\MSIC63B.tmp, PE32 20->77 dropped 79 C:\Users\user\AppData\Local\...\MSIC5FC.tmp, PE32 20->79 dropped 81 C:\Users\user\AppData\Local\...\MSIC5BC.tmp, PE32 20->81 dropped 85 2 other files (1 malicious) 20->85 dropped 143 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->143 32 SurrogateServerIntoSvc.exe 20->32         started        35 msiexec.exe 20->35         started        signatures6 process7 dnsIp8 39 winserverupd.exe 22->39         started        42 EdUpdMachine.exe 24->42         started        95 raw.githubusercontent.com 185.199.108.133, 443, 49733, 49734 FASTLYUS Netherlands 26->95 61 C:\Users\user\AppData\...\winserverupd.exe, PE32 26->61 dropped 63 C:\Users\user\AppData\...\networkbroker.exe, PE32 26->63 dropped 65 C:\Users\user\...\SurrogateServerIntoSvc.exe, PE32 26->65 dropped 67 C:\Users\user\AppData\...dUpdMachine.exe, PE32+ 26->67 dropped 97 wprogs.top 5.161.81.32, 4001, 49741 HETZNER-ASDE Germany 30->97 69 C:\Users\user\AppData\Local\Temp\$77bba4cb, PE32 32->69 dropped 99 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->99 101 Query firmware table information (likely to detect VMs) 37->101 103 Drops large PE files 37->103 file9 signatures10 process11 signatures12 119 Antivirus detection for dropped file 39->119 121 Multi AV Scanner detection for dropped file 39->121 123 Machine Learning detection for dropped file 39->123 44 winserverupd.exe 39->44         started        125 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->125 127 Modifies the context of a thread in another process (thread injection) 42->127 129 Injects a PE file into a foreign processes 42->129 131 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 42->131 process13 file14 87 C:\Users\user\AppData\Local\Temp\...\D8B8.bat, ASCII 44->87 dropped 47 cmd.exe 44->47         started        process15 signatures16 145 Uses cmd line tools excessively to alter registry or file data 47->145 147 Modifies Windows Defender protection settings 47->147 149 Adds a directory exclusion to Windows Defender 47->149 50 reg.exe 47->50         started        53 reg.exe 47->53         started        55 powershell.exe 47->55         started        57 31 other processes 47->57 process17 signatures18 105 Disable Windows Defender notifications (registry) 50->105 107 Disable Windows Defender real time protection (registry) 50->107 59 Conhost.exe 53->59         started        109 Loading BitLocker PowerShell Module 55->109 process19
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-05-28 22:26:00 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=woibb5zp4t65hrx4dwbyp62dshuai2kkg5e4dpxo5phlxbvqwjlq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion execution trojan
Link:
https://tria.ge/reports/240529-s7lzfsah5s/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Modifies Windows Defender Real-time Protection settings
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
Dropper Extraction:
https://raw.githubusercontent.com/washywashy14/7zip-bin/master/win/Uemlxaw.zip
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3dfc7b04-0758-4fcb-839f-4be4a11a30a3
Unpacked files
SH256 hash:
b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257
MD5 hash:
19b9f2724e5da3090ec0c7e1a106849d
SHA1 hash:
84e8b4ecdc853318c2e1aba3cbc471bf13764cd6
Link:
https://www.unpac.me/results/e7f866b4-e551-4f8d-9a9f-f0e78a387288/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b39010f72fe4fdd3c6fc1d8387fb4391e804694a3749c1beeeebcebb86b0b257

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PureBasic4xNeilHodgson
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleScreenBufferInfo
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CopyFileExW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW

Comments