MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SHA3-384 hash: e1454d83085c89ee04644bc7dff2e76919282cb11eb95cbc97e9690e98aef9368a84c9d08a154d86ff9d22c0225ebcee
SHA1 hash: 8a7188931e6d548c1c717be4386df5a19e04b51f
MD5 hash: 7041b5e6716fbc3d51516bfc782b1adf
humanhash: equal-fruit-nitrogen-gee
File name:7041b5e6716fbc3d51516bfc782b1adf.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:462'336 bytes
First seen:2023-07-14 06:32:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e045c7fa927c19e1374d1c99229666ac (2 x RedLineStealer, 1 x Fabookie, 1 x SystemBC)
ssdeep 6144:dJ9FSjroYqIslQS49PJPGTsqgU4yct3kgDNx5DKUfiyk6EeRqD6u:dbFSXzslQ34eU4yct3BBx5DKfwEeRC
Threatray 349 similar samples on MalwareBazaar
TLSH T162A4F15233E1A471E1634A304A2AC7F43A2FBCA09F5A57DB3358662F5DB02D196B2353
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0aaae64044464844 (1 x SystemBC)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7041b5e6716fbc3d51516bfc782b1adf.exe
Verdict:
Malicious activity
Analysis date:
2023-07-14 06:34:54 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/f139967f-f531-4a63-83b5-84fd271ee36f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/418586/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.68159994.13322.8788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97544/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64b0ec1fb1d2dc145c1d2274/reports/20d95f6f-93d7-423e-b457-8b31f391e599/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9424fe5c-298f-4c81-92ca-784696aec900
Result
Threat name:
Phobos, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272930
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates files in the recycle bin to hide itself
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes many files with high entropy
Yara detected AntiVM3
Yara detected Phobos
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272930 Sample: SjBVWCSxWi.exe Startdate: 14/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 7 other signatures 2->57 7 l]n.exe 2 89 2->7         started        11 SjBVWCSxWi.exe 1 2->11         started        14 775{341{`.exe 2->14         started        16 ljT.exe 2->16         started        process3 dnsIp4 39 C:\Users\user\AppData\Roaming\...\l]n.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\l]n.exe, PE32 7->41 dropped 43 _GDIPlus_BitmapCre...rexsdata.pro].8base, DOS 7->43 dropped 45 143 other malicious files 7->45 dropped 67 Creates files in the recycle bin to hide itself 7->67 69 Machine Learning detection for dropped file 7->69 71 Drops PE files to the startup folder 7->71 73 Writes many files with high entropy 7->73 18 l]n.exe 7->18         started        49 servblog25.xyz 45.131.66.61, 49706, 49707, 49708 LOVESERVERSGB Germany 11->49 75 Detected unpacking (changes PE section rights) 11->75 77 Detected unpacking (overwrites its own PE header) 11->77 79 Performs DNS queries to domains with low reputation 11->79 20 certreq.exe 4 11->20         started        25 WerFault.exe 11->25         started        81 Contains functionality to inject code into remote processes 14->81 83 Sample uses process hollowing technique 14->83 85 Injects a PE file into a foreign processes 14->85 27 775{341{`.exe 14->27         started        file5 signatures6 process7 dnsIp8 47 servblog25.xyz 20->47 33 C:\Users\user\AppData\Local\...\ljT.exe, PE32 20->33 dropped 35 C:\Users\user\AppData\Local\...\l]n.exe, PE32 20->35 dropped 37 C:\Users\user\AppData\Local\...\775{341{`.exe, PE32 20->37 dropped 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->59 61 Tries to steal Mail credentials (via file / registry access) 20->61 63 Performs DNS queries to domains with low reputation 20->63 65 4 other signatures 20->65 29 conhost.exe 20->29         started        31 explorer.exe 2 5 27->31 injected file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-07-13 23:31:52 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zl3gbvnemqdq4ssiroz5efj4saqe6446ovue6tmo2vw6cbrlf6dq._file
Verdict:
malicious
Similar samples:
64cc071973e05ae577f32bab349fafb4dba96ba9b8cab272aa5cd9d6074e5a39
SystemBC
7949bf3e09366bdb23ca7472cb6c4d9183ad5b081ac5a568d556aec8beae0785
SystemBC
bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
SystemBC
c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b
SystemBC
dea38651b06aab617e93bdb343fd28587bdc0e113a4fc957571a06988491ade7
SystemBC
e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099
SystemBC
f0aec57001a184ea82122a59c6e5be48042f75d6f11a40125995ba9531aab718
SystemBC
+ 339 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:phobos family:rhadamanthys family:smokeloader family:systembc backdoor collection evasion persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/230714-ha7jsacd78/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes backup catalog
Downloads MZ/PE file
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (316) files with added filename extension
Renames multiple (476) files with added filename extension
Detect rhadamanthys stealer shellcode
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Malware Config
C2 Extraction:
adstat477d.xyz:4044
demstat577d.xyz:4044
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Unpacked files
SH256 hash:
fab1ee69cd9945ee286ec80b86628c898a24974fb5674c1330916bba74117c0b
MD5 hash:
b3a3a6e2fa5adb117305d96ce8dd366a
SHA1 hash:
e3d7308aebb9bac40146de603c981e020885d24d
Detections:
BruteRatel
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/f240656b-6985-4e72-b0ee-08a7fd6a7db7/
Parent samples :
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
SH256 hash:
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
MD5 hash:
7041b5e6716fbc3d51516bfc782b1adf
SHA1 hash:
8a7188931e6d548c1c717be4386df5a19e04b51f
Link:
https://www.unpac.me/results/f240656b-6985-4e72-b0ee-08a7fd6a7db7/
Malware family:
Dharma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/caf660d5a464/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/418586/

Comments