MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 12

Intelligence 12 IOCs YARA 4 File information Comments

SHA256 hash:	e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e
SHA3-384 hash:	b21743d399cef71848722492e207ee49980344c86072d5fd8dc97e5f6f51414b06b4d6b49a1b1dba595863e009b3242d
SHA1 hash:	eafbe46f2b0b403d55f2b9910381e765ebdcbcbf
MD5 hash:	41d0be78075317aa1e18fb4fc4b4acf7
humanhash:	cup-edward-princess-lemon
File name:	eufive_20210826-113041
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	280'576 bytes
First seen:	2021-08-26 09:44:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5c06a288f07d43206aca52d5d94444b2 (5 x Amadey, 1 x RedLineStealer, 1 x Smoke Loader)
ssdeep	6144:fDm44Fsr4iatAl8qxe6V7YsV6ax+N7GUYQXtjiT/zv:y4IsrBSe8OV7Y86asHYOkP
Threatray	224 similar samples on MalwareBazaar
TLSH	T1F1547C30ABA1C035F0B711F855BA83B8A93A7AB16B3450CF53D52AEE16346E5EC30757
dhash icon	ead8ac9cc6e68ee0 (118 x RaccoonStealer, 102 x RedLineStealer, 46 x Smoke Loader)
Reporter	benkow_
Tags:	exe SystemBC

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eufive_20210826-113041

Verdict:

Malicious activity

Analysis date:

2021-08-26 09:46:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c2c40864-06d4-48fa-831c-4738488b35f1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

SystemBC Socks

Link:

https://www.capesandbox.com/analysis/182558/

Detection(s):

Win.Packed.Generic-9888451-0

Win.Packed.Generic-9888541-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a process from a recently created file

Creating a process with a hidden window

DNS request

Connection attempt

Sending a custom TCP request

Sending a UDP request

Enabling autorun by creating a file

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/93415c8f-49db-423e-8417-0d272df81438

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/839625

Signature

Detected unpacking (changes PE section rights)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e/

Threat name:

Win32.Trojan.Azorult

Status:

Malicious

First seen:

2021-08-26 09:45:06 UTC

AV detection:

27 of 43 (62.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4leihd5va2jctqvvldoosehwyzlpxfgkyhojnszr7eqm5dtsumha._file

Verdict:

malicious

SystemBC

4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5

SystemBC

683e6f42222caf44fdc3917be95d55a3f2213c5e3f966e33996ecd1f0743197f

SystemBC

6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd

SystemBC

a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de

SystemBC

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

SystemBC

d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626

SystemBC

efdc1489d1024ba19acaa9a86fb0750446896947a563e6d89739254d8250a932

SystemBC

f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd

SystemBC

+ 214 additional samples on MalwareBazaar

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc trojan

Link:

https://tria.ge/reports/210826-tfxywxl1dj/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Executes dropped EXE

SystemBC

Malware Config

C2 Extraction:

31337.hk:4110
31337r.hk:4110

Unpacked files

SH256 hash:

818168883c796c209a78674fedfc4f746bf9fdf96200db9fe325c6c89520a675

MD5 hash:

622ef6b0bc8bc1185fcf3a96e838c2dd

SHA1 hash:

1a19d3d01b544170c3f07ac017e0600180881fc5

Detections:

win_systembc_auto

Link:

https://www.unpac.me/results/cd3cddad-d8f3-4f0f-8d6c-489847af6424/

SH256 hash:

e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e

MD5 hash:

41d0be78075317aa1e18fb4fc4b4acf7

SHA1 hash:

eafbe46f2b0b403d55f2b9910381e765ebdcbcbf

Link:

https://www.unpac.me/results/cd3cddad-d8f3-4f0f-8d6c-489847af6424/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	Start2__bin Create hunting rule
Author:	James_inthe_box
Description:	SystemBC
Reference:	7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e

Rule name:	SystemBC_Socks Create hunting rule
Author:	@bartblaze
Description:	Identifies SystemBC RAT, Socks proxy version.

Rule name:	win_systembc_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

GCleaner

Cape

https://www.capesandbox.com/analysis/182558/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample