MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
SHA3-384 hash: f449bdb852f6a303dbc57e7476d2eb3ded90695d1873a8f73ba27cfe694804a1dae653c0c86bafc58f51c3a31fbb344a
SHA1 hash: bfece5be6f01f5e44b5637c6d733577d8bb64941
MD5 hash: f0f5e6f32198fa1837b3090b7fd71fbb
humanhash: bulldog-september-high-blue
File name:f0f5e6f32198fa1837b3090b7fd71fbb
Download: download sample
Signature SystemBC
Create hunting rule
File size:4'297'728 bytes
First seen:2023-07-27 05:25:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9b9dd0ce11be5cc7646e9cc1614960e6 (1 x SystemBC)
ssdeep 6144:sB5f3YwKrMducTng1RxdBNE8ZOoXzeprQoXwg4kVUm+vL1kXwT/vEVelKh:If3zKrMduNndr3zDepGkVwvhHXEV00
Threatray 14 similar samples on MalwareBazaar
TLSH T113167B19DD90C6A2F87A27B9E8F751F04C3F69B1E69C14851694DCE80EA6272F73C342
TrID 68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe SystemBC


Avatar
abuse_ch
SystemBC payload URL:
https://hjsdfyuewghf.com/dhvedok.exe

SystemBC botnet C2s:
91.103.252.89:4317
91.103.252.57:4317

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f0f5e6f32198fa1837b3090b7fd71fbb
Verdict:
Suspicious activity
Analysis date:
2023-07-27 05:26:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/114dca39-5b86-4098-b39c-ce22fdabcaa9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/434626/
Detection(s):
SecuriteInfo.com.Variant.Zusy.478152.25442.1792.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control coroxy greyware keylogger lolbin shell32
Link:
https://www.filescan.io/uploads/64c1ffec907b8030b17b27c4/reports/f7e1c00e-d3bf-4deb-91dc-ea73caa606a3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb0dcf00-96c6-47d0-9c80-c062ee3246e5
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280822
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1280822 Sample: ZqgrTW2sgn.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 5 other signatures 2->39 6 ZqgrTW2sgn.exe 1 2 2->6         started        11 ujrandd.exe 1 2->11         started        13 powershell.exe 11 2->13         started        15 powershell.exe 2->15         started        process3 dnsIp4 27 91.103.252.89, 4317, 49692, 49697 HOSTGLOBALPLUS-ASRU Russian Federation 6->27 29 hjsdfyuewghf.com 104.21.49.94, 443, 49696 CLOUDFLARENETUS United States 6->29 25 C:\Users\user\AppData\Local\...\ujrandd.exe, PE32 6->25 dropped 41 Creates autostart registry keys with suspicious values (likely registry only malware) 6->41 43 Tries to detect virtualization through RDTSC time measurements 6->43 45 Multi AV Scanner detection for dropped file 11->45 31 192.168.2.1 unknown unknown 13->31 17 ZqgrTW2sgn.exe 13->17         started        19 conhost.exe 13->19         started        21 ZqgrTW2sgn.exe 15->21         started        23 conhost.exe 15->23         started        file5 signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b/
Threat name:
Win32.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2023-07-24 00:38:47 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xdg7vwufejryurpp3lcf7yt6wyfzqybcfusima3oclkkdbuiirnq._file
Verdict:
malicious
Similar samples:
19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SystemBC
a79846e5685f2e79e36614a9f8c17476c6eb140b44954234a8842590cd7e7c29
SystemBC
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
SystemBC
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SystemBC
b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SystemBC
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
SystemBC
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SystemBC
cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
SystemBC
e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SystemBC
+ 4 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc persistence trojan
Link:
https://tria.ge/reports/230727-f4vqzahg77/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
SystemBC
Malware Config
C2 Extraction:
91.103.252.89:4317
91.103.252.57:4317
Unpacked files
SH256 hash:
985dfdc1aa54ce64d8107d146542598d15feb5d665153ebd86e37a8db4642efe
MD5 hash:
21af03c443f36d5fbef8f36b26c1bcf8
SHA1 hash:
45d186a934e3ee170f88ea4940e7f850721ac148
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/900add4e-c75b-4a18-bdb5-1d48e83e6f5e/
Parent samples :
cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
SH256 hash:
b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
MD5 hash:
f0f5e6f32198fa1837b3090b7fd71fbb
SHA1 hash:
bfece5be6f01f5e44b5637c6d733577d8bb64941
Link:
https://www.unpac.me/results/900add4e-c75b-4a18-bdb5-1d48e83e6f5e/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b8cdfada8522/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2690725/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/434626/

Comments