MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA3-384 hash:	7369dd9a096472d05158bf2b6276c60d8ed4e95a5ddddb03d6db5a8a79576ddbcb573328d16de5268073471dde47fd0e
SHA1 hash:	39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
MD5 hash:	2876db1b03b557351668cd577bf09c52
humanhash:	undress-magnesium-mango-muppet
File name:	2876db1b_by_Libranalysis
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	93'583 bytes
First seen:	2021-04-28 21:17:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep	1536:r04f1SMHjZ0k/tB1g//I0DuoxbxAHscc4bO7BpdcLZMJ6W8Sc4KGwcOHnRZR3ZWJ:Zf1BDZ0kVB67Duw9AMcZb6BpgZMISc4L
Threatray	61 similar samples on MalwareBazaar
TLSH	6193F10617A0E4F7C5A206B019B57B79FFE9D28421EB8B078B541E9D7943B538A0F3D2
Reporter	Libranalysis
Tags:	SystemBC

Libranalysis

Uploaded as part of the sample sharing project

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

opiohr.exe

Verdict:

Malicious activity

Analysis date:

2021-02-26 09:56:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/75404974-8970-403e-855d-288e44590279

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/145416/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Sending a UDP request

Creating a file in the %AppData% directory

Creating a window

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

Creating a file in the Windows subdirectories

Enabling the 'hidden' option for recently created files

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5/

Threat name:

Win32.Packed.Generic

Status:

Suspicious

First seen:

2021-02-26 20:48:33 UTC

AV detection:

26 of 47 (55.32%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3pvomdznx525snahoxxaeaboaqalyzdptu25yqn555z34tniflcq._file

Verdict:

malicious

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc trojan

Link:

https://tria.ge/reports/210428-g2fy7w4xba/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

NSIS installer

Enumerates physical storage devices

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

SystemBC

SystemBC Payload

Unpacked files

SH256 hash:

55287b648914cae2d5777be49e3ef40ffb6b11eb5b19b8a2c2733891460c467c

MD5 hash:

d48de196461665448fe39aba093b592a

SHA1 hash:

5efcee52eb0ee53660f50e89df8059593745ed1e

Detections:

win_systembc_g0

win_systembc_auto

Link:

https://www.unpac.me/results/793ddee4-8cd2-4a24-ab6a-899e967d820b/

SH256 hash:

1a2489debd5e67f4e5b4da6794ef06c0a78e53e9ea2183805979911d1f1b3a06

MD5 hash:

ad329c16619c4df8121ff81af21396e2

SHA1 hash:

899f0c8aff22b98055b17cee57f0c3439ed4e9f7

Detections:

win_buer_auto

Link:

https://www.unpac.me/results/793ddee4-8cd2-4a24-ab6a-899e967d820b/

SH256 hash:

dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

MD5 hash:

2876db1b03b557351668cd577bf09c52

SHA1 hash:

39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

Link:

https://www.unpac.me/results/793ddee4-8cd2-4a24-ab6a-899e967d820b/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects downloader agent, using PowerShell

Rule name:	SystemBC Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT.
Reference:	https://news.sophos.com/en-us/2020/12/16/systembc/

Rule name:	win_systembc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/145416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample