MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
SHA3-384 hash: 57d60a499a3b554c206b49a68f41bce29600555df46d17e5f041547e9099300aaa1f65ec81ddc752a8095046995c6757
SHA1 hash: 75def7b867b5d7930416337d32fa7735cd62c9d1
MD5 hash: 8d253537af839ffffa35002272a69975
humanhash: violet-pennsylvania-tennis-social
File name:file
Download: download sample
Signature SystemBC
Create hunting rule
File size:4'557'312 bytes
First seen:2024-06-12 10:02:11 UTC
Last seen:2024-06-12 10:33:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:tTCsLxyCB/T0DwDCuk1H4ki+kwQpQPm0TVBTBMqpPYx0d41QixgN463thBedtE:tusLx
Threatray 1'860 similar samples on MalwareBazaar
TLSH T14B2629F8A0EB85E1F8079D8065B8BDD6067235B3CDD90C24172D7A444FBAD993A49E0F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Bitsight
Tags:exe SystemBC


Avatar
Bitsight
url: https://vk.com/doc461844031_680375483?hash=xe4hYndNL46Xjd0VsYd7h6mvBeQvRZQzv9iDttCM3gL&dl=IAr2UhWzTggDftN29FunA2XoFZW4TDPJpBBsGG717w4&api=1&no_preview=1#host

Intelligence

File Origin
# of uploads :
2
# of downloads :
448
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e.exe
Verdict:
Malicious activity
Analysis date:
2024-06-12 10:03:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d57af22e-beab-49ce-895a-ecc93382a01a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6669723bda262547655eb440win7simulatehigh_evasion
Tags:
c o r o x y
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a process with a hidden window
Creating a file
Creating a window
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/29063ba1-11de-4eba-bb72-5c061e121c9f
Result
Threat name:
PureLog Stealer, SystemBC
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1455910
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Send many emails (e-Mail Spam)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1455910 Sample: file.exe Startdate: 12/06/2024 Architecture: WINDOWS Score: 100 37 ya.com 2->37 39 zycus-com.mail.protection.outlook.com 2->39 41 782 other IPs or domains 2->41 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 9 other signatures 2->55 7 file.exe 1 5 2->7         started        11 rcuxmj.exe 3 2->11         started        13 Immmsbclaz.exe 3 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 31 C:\Users\user\AppData\...\Immmsbclaz.exe, PE32 7->31 dropped 33 C:\Users\...\Immmsbclaz.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 7->35 dropped 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->57 59 Tries to detect virtualization through RDTSC time measurements 7->59 61 Injects a PE file into a foreign processes 7->61 17 file.exe 4 7->17         started        63 Antivirus detection for dropped file 11->63 65 Multi AV Scanner detection for dropped file 11->65 67 Machine Learning detection for dropped file 11->67 20 rcuxmj.exe 11->20         started        23 Immmsbclaz.exe 13->23         started        25 Immmsbclaz.exe 15->25         started        signatures6 process7 dnsIp8 27 C:\ProgramData\gjvtc\rcuxmj.exe, PE32 17->27 dropped 29 C:\ProgramData\...\rcuxmj.exe:Zone.Identifier, ASCII 17->29 dropped 43 204.141.43.44, 49888, 587 ZOHO-ASUS United States 20->43 45 212.77.100.83, 50145, 587 WIRTUALNAPOLSKAGDANSKPolandPL Poland 20->45 47 112 other IPs or domains 20->47 file9
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2024-06-12 09:59:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6no5g7efknjxcbgredoq5isac4e44t6hgktvmhb3jhmleg3nfpa._file
Verdict:
malicious
Similar samples:
41b315e70843bdcd5a9cc1b8c8f86ddd1fd11c7423ec3842d689515743900240
SystemBC
4deb0f08ddd189fab483b1efcabcaf507e43a68d255ca87e1ffa32f248f1f8ac
SystemBC
5fe211041b58d0588133f7d7dde18867cfc77dd1d87c5af1222edc91ac882665
SystemBC
789b70fa9df563a3023a89835ce3b9ef1329a477dbff67b3390b72db2b5b9557
SystemBC
8ec531068456a562ae3b54ea0e938b03e60b46460c5641eba21693b0460cf92c
SystemBC
aeeafd1474a87877c7de2e5e1c0b8a249d84db170c44411531d77fc5c9c7d258
SystemBC
c1b13b5d0cfc0ecb0d05f8d95ccb316804135fc89d2ee7f9b87fa3f1dc86f155
SystemBC
fe84277c795c62580bc80cc0f0f4f9178a0f4fbeb5d69066e575c4c763c8576a
SystemBC
+ 1'850 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/240612-l3crnathpk/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e970197f-f539-4d26-b0b9-d6a2dc137fbe
Unpacked files
SH256 hash:
d05895c807e42883f7a6a7329482c1e9db3240b7ec4a42619ffae7323ce17d20
MD5 hash:
491afb609103b9b6df6fcefe82ebe3a2
SHA1 hash:
88589e5839c45c1685a55a1e280fda9c6795b64a
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
SH256 hash:
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
MD5 hash:
e7d405eec8052898f4d2b0440a6b72c9
SHA1 hash:
58cf7bfcec81faf744682f9479b905feed8e6e68
Detections:
SystemBC
Create hunting rule
win_systembc_auto
Create hunting rule
win_systembc_g1
Create hunting rule
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
Parent samples :
789b70fa9df563a3023a89835ce3b9ef1329a477dbff67b3390b72db2b5b9557
aeeafd1474a87877c7de2e5e1c0b8a249d84db170c44411531d77fc5c9c7d258
cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
0a0459d9427b37f9dd4f9c35d0e4ffacec8a524591b58f5047b9543c65ecc203
c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2
dc183f57a0679eb92ef393479dea0df619ddce3ff94051c84f8f1dba7de31d22
1354429a271a349329dbbfda561fe0eb43ae4005f5d3c4abdec9aef08cf23baf
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
SH256 hash:
f6fd36c5ca294a6b3b24340a6d2a229825cbe8531a3f0b60579ae00bd61ad144
MD5 hash:
61efaa28465c56c01389b31fd18ed57f
SHA1 hash:
247021c8d4034943ba67e394f422710dc20b6eb7
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
SH256 hash:
cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e
MD5 hash:
8d253537af839ffffa35002272a69975
SHA1 hash:
75def7b867b5d7930416337d32fa7735cd62c9d1
Detections:
INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Link:
https://www.unpac.me/results/8141b2ff-97dd-4bad-beef-de705ae1ecac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe cf9aee9be42a9a9b88268906e8751200b84e727e39953ab0e1da4ec590db695e

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments