MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
SHA3-384 hash: 21bb6de46215da4b3eafe2d4cebf11e3e77feb8730339cb882bd8af48a85dd74e0ad27de563d51f7889f7ae91e6a055e
SHA1 hash: e2539273cec31c0f4a6bc18757029e7a245a6d6d
MD5 hash: 1c973c1ac0fef68fcf5041312d126f1a
humanhash: hawaii-sierra-three-mango
File name:1c973c1ac0fef68fcf5041312d126f1a.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:4'929'024 bytes
First seen:2023-07-25 17:50:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2dd7ccda47f8c453a5f25f913ac9621e (1 x SystemBC)
ssdeep 6144:vOaZsS4DFasluB04DdbHXrW2AmPxSB/lKfwmpjLkBGxalTK:TZsFDFas+l3a2AYfnjxxw
TLSH T15736B035BF80B42ED32219FB5B36D277582979CD292FD87536D41B4ECAE83432725282
TrID 68.7% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13097/50/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c973c1ac0fef68fcf5041312d126f1a.exe
Verdict:
Suspicious activity
Analysis date:
2023-07-25 17:56:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bd4c2dbf-389d-429e-86eb-f1341287c3d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/432887/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDS.61013703.28592.4218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b0c3d85-8889-48da-9126-91ed9035069d
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1279597
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269/
Threat name:
Win32.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2023-07-21 21:35:15 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvapi2fft4ngv4k6ozqw3d3w5hup5bkect7nkn45mkco3hqr6juq._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc persistence trojan
Link:
https://tria.ge/reports/230725-we6d6sef58/
Behaviour
Adds Run key to start application
SystemBC
Malware Config
C2 Extraction:
91.103.252.89:4317
91.103.252.57:4317
Unpacked files
SH256 hash:
985dfdc1aa54ce64d8107d146542598d15feb5d665153ebd86e37a8db4642efe
MD5 hash:
21af03c443f36d5fbef8f36b26c1bcf8
SHA1 hash:
45d186a934e3ee170f88ea4940e7f850721ac148
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/dcdda93f-ae7c-4e01-b848-a23a9c0be47a/
Parent samples :
cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
SH256 hash:
cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269
MD5 hash:
1c973c1ac0fef68fcf5041312d126f1a
SHA1 hash:
e2539273cec31c0f4a6bc18757029e7a245a6d6d
Link:
https://www.unpac.me/results/dcdda93f-ae7c-4e01-b848-a23a9c0be47a/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cd40f468a59f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/cd40f468a59f1a6af15e76616d8f76e9e8fe854414fed5379d6284ed9e11f269

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/432887/

Comments