MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e
SHA3-384 hash: 803a7634ece465658155e818b9bd1de6340605ec8180b50482320880bf0894482eb05fcbe1edcaa9fd0e5bbb2400a3b7
SHA1 hash: 25249086768b072a7f0649ab9fb60fa4e3eb95b6
MD5 hash: f57290a3fb2a9714e880f92a4ee1f22a
humanhash: nitrogen-eleven-robin-eight
File name:f57290a3fb2a9714e880f92a4ee1f22a.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:9'548'944 bytes
First seen:2022-10-28 18:03:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d11871fc716f77feec71c42bf958e3e1 (1 x RaccoonStealer, 1 x SystemBC)
ssdeep 196608:puiEfVsQ+P5VBqvpxTle/y89BcDmwIuAOie1M:pdrnUvTm9BcDm/T
Threatray 418 similar samples on MalwareBazaar
TLSH T152A6C0A13609B3CFC44E24FC9416CF47AAB943B74624490DE8AEBABE5F13F45354AD24
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 63d94c244460613e (2 x SystemBC, 1 x LgoogLoader)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f57290a3fb2a9714e880f92a4ee1f22a.exe
Verdict:
Malicious activity
Analysis date:
2022-10-28 18:05:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de21f1b2-4c08-425d-9ead-9dc96f7fd534

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/325600/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.15258.14092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus virut
Link:
https://www.filescan.io/uploads/635c199558409ff7bc0c2da5/reports/c161620b-4038-402c-9aeb-87a704f4c3ad/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/093d9070-0c87-4bfd-adcc-3c6bfc4136c7
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1100543
Signature
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e/
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2022-10-27 08:26:22 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wpcqn6eseddwacdzl7nvnvtqhaflldmvebs4repxlkg3ks4e56ha._file
Verdict:
malicious
Similar samples:
08c672cbfc638f1cde4a502afb6b0b907b0a665a6b487a9552cbf48abcb516a1
SystemBC
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
SystemBC
53379b36716f384e530dae9ec883c459d0c12f0260116614a0482ded7d9b5ba9
SystemBC
792d8bfb5e0660c8967fa84902963bbd3ccc345f9e17f777c6d016343655afdf
SystemBC
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
SystemBC
c53f7ebd83475a296ad52cd4e9c44c7eb93f0db72182e66c2816a81571400112
SystemBC
d36d4465c570673839d1139e66b284072a9d9f88ea7e2733c1751bd77e9afb2c
SystemBC
d3de52ec5e00eff831e15a2719c702f98fbcf95183849dea98d1483c6f171446
SystemBC
e87d665a4fbec30fcb5bd5d5203c4736810d638e9b82fb06257ae8a4087cbc17
SystemBC
+ 408 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc evasion themida trojan
Link:
https://tria.ge/reports/221028-wnk5lahdg9/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SystemBC
Malware Config
C2 Extraction:
89.22.225.242:4193
195.2.93.22:4193
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4fdafcb2-8f8c-495b-bbce-c19346e7d610
Unpacked files
SH256 hash:
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
MD5 hash:
ad72822c0c72a676edae67f14716da34
SHA1 hash:
ee4464fea8e4a5459c7ae964c8f6fc51203e76ce
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/01d0d66f-cac3-4c44-bedb-afb59ed8d5a7/
Parent samples :
19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708
SH256 hash:
16ebd118afb09738c0142b045c23878e774c6778fa429dd6371837ed8ae3a02a
MD5 hash:
db1db92af52835197992fe6594316a39
SHA1 hash:
43d139066311cefde3fad0c2ce52562293995f88
Link:
https://www.unpac.me/results/01d0d66f-cac3-4c44-bedb-afb59ed8d5a7/
SH256 hash:
b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e
MD5 hash:
f57290a3fb2a9714e880f92a4ee1f22a
SHA1 hash:
25249086768b072a7f0649ab9fb60fa4e3eb95b6
Link:
https://www.unpac.me/results/01d0d66f-cac3-4c44-bedb-afb59ed8d5a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.20
Link:
https://yomi.yoroi.company/submissions/b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/325600/
  
URLhaus
https://urlhaus.abuse.ch/url/2389580/
  
Delivery method
Distributed via web download

Comments