MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
SHA3-384 hash:	0f2a047d662088d273ac76a8d73a04da3ef8ac346807d1de014a669e16c70045a29d881603278508a34d87491fd2fcad
SHA1 hash:	a2251c07ea52e9886be15835d45eac41c24af78d
MD5 hash:	572eb88ef3e508c0556d55b4e7f649bd
humanhash:	west-diet-sweet-march
File name:	572eb88ef3e508c0556d55b4e7f649bd.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	242'688 bytes
First seen:	2022-03-21 08:10:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	faaf45f51400f48ccc9484bc4fae33cf (1 x RaccoonStealer, 1 x N-W0rm, 1 x SystemBC)
ssdeep	1536:4NiudIOU0UrlRcrLjb1hz84dLkxSfXTSoUyFqmnHii3sW5R2IDvpeF2B:4Ni15wH159rSoUDuF5R2UvpeF2B
TLSH	T1FC34BF623E50C832C49664735825C6A1EA3FB832F6B2C5077B554B7D1F313C2AA7A35B
File icon (PE):
dhash icon	4839b234e8c38890 (121 x RaccoonStealer, 54 x RedLineStealer, 51 x ArkeiStealer)
Reporter	abuse_ch
Tags:	exe SystemBC

Intelligence

File Origin

# of uploads :

# of downloads :

170

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253354/

Detection(s):

Win.Dropper.Tofsee-9941761-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Сreating synchronization primitives

Creating a window

Creating a file

Creating a process from a recently created file

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/10037/overview

Behaviour

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/623833190cd58dbd92cd0e0f/reports/19055ac9-6ae5-46cf-b07a-a1eefcadac29/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dde2644f-a3d7-4569-9206-8629151d86b5

Result

Threat name:

SystemBC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/960506

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May use the Tor software to hide its network traffic

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Yara detected SystemBC

Behaviour

Behavior Graph:

Download SVG

Detection:

systembc

Link:

https://mwdb.cert.pl/sample/bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810/

Threat name:

Win32.Backdoor.Systembc

Status:

Malicious

First seen:

2022-03-14 19:24:59 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 42 (90.48%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xllcvpl22kod2e3zxudehgzsbbkjz37wg5zeeaieygzsfjflzaia._file

Verdict:

malicious

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc suricata trojan

Link:

https://tria.ge/reports/220321-j3ak7aafal/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Downloads MZ/PE file

Executes dropped EXE

SystemBC

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata: ET MALWARE Win32/SystemBC CnC Checkin

Malware Config

C2 Extraction:

31.44.185.6:4001
31.44.185.11:4001

Unpacked files

SH256 hash:

b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14

MD5 hash:

5403c11319b16a89e7665141f8bff9fb

SHA1 hash:

9c9ae4bdf521749f23267644e7346f7ee2ad98ab

Detections:

win_systembc_g0

win_systembc_auto

Link:

https://www.unpac.me/results/b3bf3ba4-c9de-4771-8aa3-1fd1b9f6258a/

Parent samples :

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
055bb90b6b1355dfbd03fc77826720e14b37934a078fa1caa1ef0e47e04a99e8
69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d
9b2d89057155cd1cec731e83a0946cf95772134f0069da737fa30935b5a9b325
e77eb0d03b445cf74f20c2614b1135b62da61ecf0d7c48194b71b8f73297272d
11c509649c391209ce09bc178ebffcfc7cbfcf038ce699aebfd1303191c136aa
a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6

SH256 hash:

bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

MD5 hash:

572eb88ef3e508c0556d55b4e7f649bd

SHA1 hash:

a2251c07ea52e9886be15835d45eac41c24af78d

Link:

https://www.unpac.me/results/b3bf3ba4-c9de-4771-8aa3-1fd1b9f6258a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	MiniTor Create hunting rule
Author:	@bartblaze
Description:	Identifies MiniTor implementation as seen in SystemBC and Parallax RAT.
Reference:	https://news.sophos.com/en-us/2020/12/16/systembc/

Rule name:	Start2_net_mem Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	Start2_overlap_mem Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	SystemBC_Config Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT, decrypted config.

Rule name:	win_systembc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

exe bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

(this sample)

Cape

https://www.capesandbox.com/analysis/253354/

URLhaus

https://urlhaus.abuse.ch/url/2108799/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample