MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a
SHA3-384 hash: 87154e1f42b61db42c6670e057245667fadc5a19ca201bf64a16776e4e97b729e9c72d84e7b08667d83c5ac498a03191
SHA1 hash: 1ca2283f19b033ea172de3a0e71cb050c7b501b9
MD5 hash: edf555fc092865d05d3c666e1f4d43b3
humanhash: colorado-salami-cola-pip
File name:edf555fc092865d05d3c666e1f4d43b3.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:199'680 bytes
First seen:2021-03-11 07:08:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 21f43176d2402485c177e9dce3f52a54 (1 x RaccoonStealer, 1 x SystemBC)
ssdeep 3072:2nJTxAR+aCGadTJ6c6u3bdUBLhjUaXmHK5e7w2P5pN:UJL2cL3m/cso5p
Threatray 96 similar samples on MalwareBazaar
TLSH 5F149D1171B2C473C447197588E6C6B54A36BCB57F2046CF7B983BAE5F31EE28A36242
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
edf555fc092865d05d3c666e1f4d43b3.exe
Verdict:
Malicious activity
Analysis date:
2021-03-11 07:10:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/94c89c9a-4839-44c3-bf6a-aa93d4411c00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123707/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.14123.1622.2962.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/636485
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 18:27:00 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2olvmgs3xfr2hpp7ailhnswrqteb4sww73qwahivsjhrit7b445a._file
Verdict:
malicious
Similar samples:
000ce16aa593d3de6ee74dc23d0ef231a77383c7545990d32c47f038314d0051
SystemBC
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
SystemBC
1ec60901913a3f37391799792f04fde1d5f1e891ba6d9cf00f6c08b7ba2364d2
SystemBC
318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd
SystemBC
63e7464225916f05a6dc4576721fae7a3a449fdab81072f28ba9a4bf5e9a54f9
SystemBC
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
SystemBC
c08ae3fc4f7db6848f829eb7548530e2522ee3eb60a57b2c38cd1bdc862f5d6f
SystemBC
d0c19e8c1317c52d421450e5605061b620d2b301d8e1a9811db6615c4d56b89f
SystemBC
e86c00bb96428b8c113169da2c996f457ed22467c5ad998e87bb48b65e98ab36
SystemBC
fe9c809037f44ae90bb094ab94481e3cfc42d286ce90eb1e4e19e44268537424
SystemBC
+ 86 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/210311-2xv2aewb5j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Looks up external IP address via web service
Uses Tor communications
Executes dropped EXE
SystemBC
SystemBC Payload
Unpacked files
SH256 hash:
c2ae5418053eabb87e8435389a080544728c24b5c817040f31165eed2135672c
MD5 hash:
46f9ca549b54d5e204d5660f29e69437
SHA1 hash:
9861d94e3e29720918891ae2ca1228cbcb38b912
Detections:
win_systembc_g0
Create hunting rule
win_systembc_auto
Create hunting rule
Link:
https://www.unpac.me/results/5dec7897-2833-40ce-9fbf-43c58f996a87/
SH256 hash:
d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a
MD5 hash:
edf555fc092865d05d3c666e1f4d43b3
SHA1 hash:
1ca2283f19b033ea172de3a0e71cb050c7b501b9
Link:
https://www.unpac.me/results/5dec7897-2833-40ce-9fbf-43c58f996a87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects downloader agent, using PowerShell
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe d397561a5bb963a3bdff021676cad184c81e4ad6fee1601d15924f144fe1e73a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1060030/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/123707/

Comments