MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708
SHA3-384 hash:	3290bd67bc3c53a7e5036d4bbecb2fddb8b20e103c0b3febc000163ae167fb8f4a36d91d89704455d20a00b7368fcf96
SHA1 hash:	602504addbd4df06c2ae5467a037edbf4fc41c16
MD5 hash:	d49997877451b110adc8e09d9c04c2b6
humanhash:	johnny-chicken-ten-east
File name:	d49997877451b110adc8e09d9c04c2b6.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	1'766'032 bytes
First seen:	2023-01-25 20:28:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	46f2e276c634d5362ea91b37e3398f9e (1 x SystemBC)
ssdeep	49152:Zk7edbYPPeMgp1wQ4H4/Kof7Of6Dmq9zbrQn:Z/dMPPEYQlNqfVUQn
TLSH	T1618512D6BB51E339C39426F458E8D2C803369F7D44A1C18B33A5658B7E7DF8D912B288
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	63d94c244460613e (2 x SystemBC, 1 x LgoogLoader)
Reporter	abuse_ch
Tags:	exe signed SystemBC

Code Signing Certificate

Organisation:	devlearn.com
Issuer:	Go Daddy Secure Certificate Authority - G2
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-04-12T02:48:38Z
Valid to:	2023-04-12T02:48:38Z
Serial number:	dd575f84afbee77c
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	1e07686eb1bb3b701ce8fc45841cd8737e5060ffe02df6cf4b6baec4ddb884d2
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d49997877451b110adc8e09d9c04c2b6.exe

Verdict:

Malicious activity

Analysis date:

2023-01-25 20:32:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1bf9e3e0-cfc1-4f5e-a861-e0cb9c97ca86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SystemBC

Link:

https://www.capesandbox.com/analysis/356843/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Creating a file

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/63071/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

80%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63d1910f905a5ac3b908c6b4/reports/24ed7742-e19a-4e36-b043-1c2cb0443bc4/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/effacc9f-49f7-4701-8df4-b5e34ee3256d

Result

Threat name:

SystemBC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1159172

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected SystemBC

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2022-10-26 00:41:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 39 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x7zu5sebxpuxe3ycl7hulbivb2mbpc6s5tn4p7bjsoo36vkkw4ea._file

Verdict:

malicious

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc trojan

Link:

https://tria.ge/reports/230125-y9j6jaaf62/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Drops file in System32 directory

SystemBC

Malware Config

C2 Extraction:

89.22.225.242:4193
195.2.93.22:4193

Unpacked files

SH256 hash:

665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9

MD5 hash:

ad72822c0c72a676edae67f14716da34

SHA1 hash:

ee4464fea8e4a5459c7ae964c8f6fc51203e76ce

Detections:

SystemBC

Link:

https://www.unpac.me/results/0e57bcd2-e826-441a-9ab9-ea3dde0f50f7/

Parent samples :

19b7183a3eed215c98ce35ac4168917345ef97c104b0c5a7ea43919f094a3bc3
b3c506f89220c76008795fdb56d670380ab58d952065c891f75a8db54b84ef8e
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708

SH256 hash:

037e339a983e56639d5937c0b2a9a9241c16e8e6b0dae476e7c5c814aab598c6

MD5 hash:

c013d771c3031a9c51483e0903f4ab3b

SHA1 hash:

614dd122a5ad6fffba76a7fa276b390511230969

Link:

https://www.unpac.me/results/0e57bcd2-e826-441a-9ab9-ea3dde0f50f7/

SH256 hash:

bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708

MD5 hash:

d49997877451b110adc8e09d9c04c2b6

SHA1 hash:

602504addbd4df06c2ae5467a037edbf4fc41c16

Link:

https://www.unpac.me/results/0e57bcd2-e826-441a-9ab9-ea3dde0f50f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bff34ec881bbe9726f025fcf4585150e98178bd2ecdbc7fc29939dbf554ab708

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/356843/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample