MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SHA3-384 hash: a27d195aeaa5b718d7bc4c4fda939b787597399f76c1aef7038cdc7fdaf703a43d8f6e6120a789d8514422792d5a2e8d
SHA1 hash: 4e1d179697ab7536ee475494b158b969963e0bf6
MD5 hash: 4d18c07abced7f8fc570c83dd825bb0b
humanhash: potato-spring-magnesium-autumn
File name:4d18c07abced7f8fc570c83dd825bb0b.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:462'336 bytes
First seen:2023-07-14 06:43:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0c3d84146fe14348c0e959c10518448a (2 x RedLineStealer, 1 x Amadey, 1 x SystemBC)
ssdeep 6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV
Threatray 427 similar samples on MalwareBazaar
TLSH T18EA4F112B6D0A830E5731A71492EC5A42B2FFC918F659BCB3258172F1DB02D1DBB6B53
TrID 52.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.7% (.EXE) Win64 Executable (generic) (10523/12/4)
8.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.5% (.EXE) Win32 Executable (generic) (4505/5/1)
3.4% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1092c46048485440 (1 x SystemBC)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
4d18c07abced7f8fc570c83dd825bb0b.exe
Verdict:
Malicious activity
Analysis date:
2023-07-14 06:46:29 UTC
Tags:
loader smoke trojan ransomware
Link:
https://app.any.run/tasks/f7d6e7ef-0072-4b5d-9ed1-62b9bd27c60e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418601/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68160535.1125.27329.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Searching for the window
Unauthorized injection to a system process
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97548/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b0eeb46e9f7019dea09f03/reports/6c354f02-86b3-43c5-92f5-28c5f226d4ff/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ea253ba-2d60-43c6-9fc8-4938e4dc633e
Result
Threat name:
Phobos, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273070
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in the recycle bin to hide itself
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Phobos
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273070 Sample: vtioL22Yej.exe Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Antivirus detection for URL or domain 2->55 57 9 other signatures 2->57 7 6647KxI.exe 2 75 2->7         started        11 vtioL22Yej.exe 1 2->11         started        14 OzIk5%O2.exe 2->14         started        16 Idm3IR6.exe 2->16         started        process3 dnsIp4 39 C:\Users\user\AppData\Roaming\...\6647KxI.exe, PE32 7->39 dropped 41 _Excel_SheetCopyMo...rexsdata.pro].8base, DOS 7->41 dropped 43 IsHwnd.au3.id[2DB9...rexsdata.pro].8base, DOS 7->43 dropped 45 132 other malicious files 7->45 dropped 67 Multi AV Scanner detection for dropped file 7->67 69 Creates files in the recycle bin to hide itself 7->69 71 Machine Learning detection for dropped file 7->71 85 2 other signatures 7->85 18 6647KxI.exe 7->18         started        49 servblog25.xyz 45.131.66.61, 49697, 49698, 49699 LOVESERVERSGB Germany 11->49 73 Detected unpacking (changes PE section rights) 11->73 75 Detected unpacking (overwrites its own PE header) 11->75 77 Performs DNS queries to domains with low reputation 11->77 20 certreq.exe 4 11->20         started        25 WerFault.exe 11->25         started        79 Contains functionality to inject code into remote processes 14->79 81 Sample uses process hollowing technique 14->81 83 Injects a PE file into a foreign processes 14->83 27 OzIk5%O2.exe 14->27         started        file5 signatures6 process7 dnsIp8 47 servblog25.xyz 20->47 33 C:\Users\user\AppData\Local\...\OzIk5%O2.exe, PE32 20->33 dropped 35 C:\Users\user\AppData\Local\...\Idm3IR6.exe, PE32 20->35 dropped 37 C:\Users\user\AppData\Local\...\6647KxI.exe, PE32 20->37 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->59 61 Tries to steal Mail credentials (via file / registry access) 20->61 63 Performs DNS queries to domains with low reputation 20->63 65 4 other signatures 20->65 29 conhost.exe 20->29         started        31 explorer.exe 2 4 27->31 injected file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-07-14 00:32:48 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xbrdmmxpi427dbdjd2mk3kvadzyh6uuhowpoaulpwfts3nqyozba._file
Verdict:
malicious
Similar samples:
64cc071973e05ae577f32bab349fafb4dba96ba9b8cab272aa5cd9d6074e5a39
SystemBC
bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
SystemBC
c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b
SystemBC
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SystemBC
dea38651b06aab617e93bdb343fd28587bdc0e113a4fc957571a06988491ade7
SystemBC
e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099
SystemBC
f0aec57001a184ea82122a59c6e5be48042f75d6f11a40125995ba9531aab718
SystemBC
+ 417 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:phobos family:rhadamanthys family:smokeloader family:systembc backdoor collection evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/230714-hhhwdsce24/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Deletes itself
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Downloads MZ/PE file
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (346) files with added filename extension
Renames multiple (83) files with added filename extension
Detect rhadamanthys stealer shellcode
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Malware Config
C2 Extraction:
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
adstat477d.xyz:4044
demstat577d.xyz:4044
Unpacked files
SH256 hash:
fab1ee69cd9945ee286ec80b86628c898a24974fb5674c1330916bba74117c0b
MD5 hash:
b3a3a6e2fa5adb117305d96ce8dd366a
SHA1 hash:
e3d7308aebb9bac40146de603c981e020885d24d
Detections:
BruteRatel
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/dc3544fd-8d03-48bc-9dd0-0ccc6ee8ad3b/
Parent samples :
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
SH256 hash:
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
MD5 hash:
4d18c07abced7f8fc570c83dd825bb0b
SHA1 hash:
4e1d179697ab7536ee475494b158b969963e0bf6
Link:
https://www.unpac.me/results/dc3544fd-8d03-48bc-9dd0-0ccc6ee8ad3b/
Malware family:
Dharma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8623632ef47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/418601/

Comments