MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d698868e1ed87e2ad436dd6be63276f64fb040d63a60afd7defdf570816f5b55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d698868e1ed87e2ad436dd6be63276f64fb040d63a60afd7defdf570816f5b55
SHA3-384 hash: c44ca4428bd63a80f1b964cf9f9e1ab5828631225d9d663eedb96c44bd6dedc3010bc361fc5877e5c7a8d82ea37dd5ac
SHA1 hash: 2044ea5fd95df30782f5dfcbbd7d78d90bbe1b1f
MD5 hash: 2e10fb9e1508a6ffeaf8315c9a6154eb
humanhash: steak-ack-football-fish
File name:2e10fb9e1508a6ffeaf8315c9a6154eb
Download: download sample
Signature SystemBC
Create hunting rule
File size:5'504'920 bytes
First seen:2022-10-10 15:49:35 UTC
Last seen:2022-10-10 18:15:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9462ac51d5312ceece5994cd22214070 (1 x SystemBC)
ssdeep 98304:X6dq7DqT6s5jE2xeWS1F8n9QdgFDmAfWsSGsPf6r2ch6pWJLz1gI5:qdq7DCj5jE2xeR8n9Q4ZftyPf6vhZX17
TLSH T111469EE62A0BEFDFD14A043DA017DF1A657C87B3DB16DB01EA5C297B4613D823649E20
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e8f8f0f8f0f0f0f0 (1 x SystemBC)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
3
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318569/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.5131.24081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Creating a window
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/63443f2cf70d3755bbbf8b6a/reports/87a3ed14-d4f0-4b7a-92c3-09e0c27dfb02/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fe88ecd6-f5e6-4aa9-af4f-14e6fcc35887
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1087049
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 719628 Sample: DDa64eKV8Q.exe Startdate: 10/10/2022 Architecture: WINDOWS Score: 92 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected SystemBC 2->42 44 2 other signatures 2->44 7 DDa64eKV8Q.exe 4 2->7         started        11 Dip gavoney doma tehova patoti kov.exe 2->11         started        process3 file4 30 C:\...\Dip gavoney doma tehova patoti kov.exe, PE32 7->30 dropped 32 Dip gavoney doma t...exe:Zone.Identifier, ASCII 7->32 dropped 46 Query firmware table information (likely to detect VMs) 7->46 48 Self deletion via cmd or bat file 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 13 Dip gavoney doma tehova patoti kov.exe 7->13         started        17 cmd.exe 1 7->17         started        19 schtasks.exe 1 7->19         started        52 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->52 signatures5 process6 dnsIp7 36 89.22.225.242, 4193, 49796, 49797 INETLTDTR Russian Federation 13->36 54 Query firmware table information (likely to detect VMs) 13->54 56 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->56 58 Uses ping.exe to check the status of other devices and networks 17->58 21 PING.EXE 1 17->21         started        24 conhost.exe 17->24         started        26 chcp.com 1 17->26         started        28 conhost.exe 19->28         started        signatures8 process9 dnsIp10 34 127.0.0.1 unknown unknown 21->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d698868e1ed87e2ad436dd6be63276f64fb040d63a60afd7defdf570816f5b55/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 15:50:13 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=22mindq63b7cvvbw3vv6mmtw6zh3aqgwhjqk7v667x2xbalplnkq._file
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc evasion themida trojan
Link:
https://tria.ge/reports/221010-s9w77scdg5/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Deletes itself
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
SystemBC
Malware Config
C2 Extraction:
89.22.225.242:4193
195.2.93.22:4193
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/d698868e1ed87e2ad436dd6be63276f64fb040d63a60afd7defdf570816f5b55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe d698868e1ed87e2ad436dd6be63276f64fb040d63a60afd7defdf570816f5b55

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/318569/
  
URLhaus
https://urlhaus.abuse.ch/url/2355193/

Comments


Avatar
zbet commented on 2022-10-10 15:49:39 UTC

url : hxxp://45.83.123.128/css/wevtutil.exe