MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba
SHA3-384 hash: b62c6ee0f066beeb6d2b025b5d9dc0b5347509ba76208c3c4bab894ae06699322c8b4a7d7e02d090a8cd90c292ccb11c
SHA1 hash: 2435632e756173e92a1f14e10573bdc32895a6c5
MD5 hash: c65326b66f8e1799d3b4b62ced8431ad
humanhash: triple-tango-bakerloo-oscar
File name:c65326b66f8e1799d3b4b62ced8431ad
Download: download sample
Signature SystemBC
Create hunting rule
File size:968'704 bytes
First seen:2022-05-21 07:30:29 UTC
Last seen:2022-05-21 08:31:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1393577781564a7066b7ec9f2fd931fa (1 x SystemBC)
ssdeep 12288:G78C7NliD9JuDyjGv5MLWxqm8rRzv7shAxlATIYQrUSYPzRPzXTwnU1cQ47gpotP:G78CRUR4EGv+WwzdzrazIfgGoemzcMw
Threatray 169 similar samples on MalwareBazaar
TLSH T1BA257D22B291C577D8F2167C9D6BB3DD98357D102D2C984A7FE40F4C1E3AB803A66297
TrID 68.0% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
26.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
349
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
https://google.com
Verdict:
Malicious activity
Analysis date:
2022-05-20 20:41:58 UTC
Tags:
stealer loader trojan rat redline phishing evasion systembc
Link:
https://app.any.run/tasks/c6de193b-7d4e-441e-9484-4aea8c0c27b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273288/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the window
Creating a file
Sending a custom TCP request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19426/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe greyware keylogger qbot ursnif
Link:
https://www.filescan.io/uploads/62889545054dcf0ecad68c17/reports/1d4e6dcb-7462-43ae-b128-a274006b86da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/587e7afc-03db-422e-80be-525257d3f374
Result
Threat name:
CryptOne, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/999048
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba/
Threat name:
Win32.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 19:41:04 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4woe4ysj7harp452ymelj4gkhl3uqbpsfspcf7u23ik2xicck5a._file
Verdict:
malicious
Similar samples:
1cb1bfcb6922b47360cc3a42ae778e998e2667391bb202cf703ae6e8d01520dd
SystemBC
2866a252b6007fe9487d85b87ed23f6dddaf2f4f8ccc82328212985bfc6dd5d5
SystemBC
330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52
SystemBC
6e6daa421b992ea72284f7f955511d063b52f8118f37f7f41877789e1ce7d195
SystemBC
e551275aa089805c48ec1734d3d4ecd03997663e58892323bf174f0b7eb52504
SystemBC
f207b081630595fb1b6d790e7c43ec89fe2ed88003026f5d0f9faf01c99673e2
SystemBC
fdd7069cdc8a066739331213b2076f2ca6acd0e97070f5d1e4dbd9d1b756a35b
SystemBC
+ 159 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/220521-jcc9dsdhej/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
SystemBC
Malware Config
C2 Extraction:
135.125.248.50:443
146.70.53.169:443
Unpacked files
SH256 hash:
13b2ac2a67887f6fc94af3966ef0528d2a493a54fab7375d1e2307adb3a9d544
MD5 hash:
65e8443867ee1e59f8c61ea67e6ac0eb
SHA1 hash:
646c3d8fc28dff82df45ee3d5d3528210fd0ad33
Link:
https://www.unpac.me/results/1f8468cb-b353-4d61-a7a7-94487e5b83d5/
SH256 hash:
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba
MD5 hash:
c65326b66f8e1799d3b4b62ced8431ad
SHA1 hash:
2435632e756173e92a1f14e10573bdc32895a6c5
Link:
https://www.unpac.me/results/1f8468cb-b353-4d61-a7a7-94487e5b83d5/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c72ce273124f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2205066/
Cape
Cape
https://www.capesandbox.com/analysis/273288/

Comments


Avatar
zbet commented on 2022-05-21 07:30:36 UTC

url : hxxp://86.106.131.132/polx.exe