MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
SHA3-384 hash: bf8ba7909c59a7c403041a19787335d2d382e3c4eb5f71ac30d7ccf45990f8288bdd796e59a6e7575944f4f48a9c3526
SHA1 hash: d5f1ab52221019c746f1cc59a45ce18d0b817496
MD5 hash: 0d079a931e42f554016db36476e55ba7
humanhash: burger-carbon-bacon-glucose
File name:0d079a931e42f554016db36476e55ba7
Download: download sample
Signature SystemBC
Create hunting rule
File size:7'566'544 bytes
First seen:2022-12-09 09:50:52 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash d3a98daa37dbe78969711cc1194ce51b (1 x SystemBC)
ssdeep 196608:l3ksPqmzcl+LG314Hujb7KgkYCbGNBmHTER:lUON+2HBb8
Threatray 580 similar samples on MalwareBazaar
TLSH T15776332F16980415E4EECC3A85EBBE9132F5073A9E8278BCA5DA5DC13A354F5B702163
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.5% (.EXE) Win32 Executable (generic) (4505/5/1)
8.4% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter zbetcheckin
Tags:32 dll exe signed SystemBC

Code Signing Certificate

Organisation:fumbling corp.
Issuer:fumbling corp.
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-08T17:12:34Z
Valid to:2023-12-08T17:32:34Z
Serial number: 78919934276f458544703d1c7fc21303
Thumbprint Algorithm:SHA256
Thumbprint: e3fcba8cb056d8c4b5f3c974dd82c3cd9c96af2621722c26119e478f35637e99
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/344653/
Detection(s):
SecuriteInfo.com.Win32.BackdoorX-gen.12119.30758.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/639305080c6473d1671a2011/reports/29e6de9f-c008-45f9-9117-19a65176d4a5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c49c2932-6dbd-4bf5-a8db-f2d3124ded72
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1131312
Signature
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764036 Sample: 6k00SOeMjU.dll Startdate: 09/12/2022 Architecture: WINDOWS Score: 96 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected SystemBC 2->29 31 PE file contains section with special chars 2->31 7 loaddll32.exe 1 2->7         started        process3 signatures4 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->37 39 Overwrites code with function prologues 7->39 41 Tries to evade analysis by execution special instruction (VM detection) 7->41 43 2 other signatures 7->43 10 rundll32.exe 7->10         started        14 rundll32.exe 7->14         started        16 cmd.exe 1 7->16         started        18 conhost.exe 7->18         started        process5 dnsIp6 23 89.22.236.225, 4193, 49698, 49699 INETLTDTR Russian Federation 10->23 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->45 47 Tries to detect virtualization through RDTSC time measurements 10->47 49 Hides threads from debuggers 10->49 51 System process connects to network (likely due to code injection or exploit) 14->51 20 rundll32.exe 16->20         started        signatures7 process8 signatures9 33 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->33 35 Hides threads from debuggers 20->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798/
Threat name:
Win32.Trojan.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-12-09 07:27:22 UTC
File Type:
PE (Dll)
Extracted files:
2
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ljmlkxzf7qh3nc3tfmh6wdmpjc7sldheignqej2luxhxszsa6ma._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
SystemBC
3cea6eaf23e94e38d790a9ccf43e490f8ad3da3eb920e3a967d18947905b60b7
SystemBC
411c449f978ff2425a9ee85a26157a0ba45a4895f6c1401a7c4d9a9c42c6a73b
SystemBC
4d70a2e9f63fea018db99bef6cecbf094255c52f6e2bd9d1d7458e637efb9172
SystemBC
56d901c98e235d2c02936b0553839e7fec6bec501097f87996a47da1f0ae501c
SystemBC
c5b4ef6efd9f7da867cceb90761c47c62e882bce0cc20ca88f5f73fb7308c01c
SystemBC
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
SystemBC
e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68
SystemBC
f022991ffa81316654d102a92989ed05e2ba1a7cdff6bf828f830dbeae375627
SystemBC
+ 570 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/221209-lvg2each35/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Blocklisted process makes network request
SystemBC
Malware Config
C2 Extraction:
89.22.236.225:4193
176.124.205.5:4193
Unpacked files
SH256 hash:
edbdfc34c78ff18d2d3f69d982642a95832edf2302c8e82c63d31ad6a30295bd
MD5 hash:
01a5b511a8c872fec299dcb0a82b68e3
SHA1 hash:
a1513216ffc12dcdb277024002dbe3f7650b6540
Detections:
SystemBC
Create hunting rule
Link:
https://www.unpac.me/results/6b9aa3c4-ea21-4563-be3b-0135b09fbf56/
SH256 hash:
ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
MD5 hash:
0d079a931e42f554016db36476e55ba7
SHA1 hash:
d5f1ab52221019c746f1cc59a45ce18d0b817496
Link:
https://www.unpac.me/results/6b9aa3c4-ea21-4563-be3b-0135b09fbf56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

DLL dll ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2452285/
Cape
Cape
https://www.capesandbox.com/analysis/344653/

Comments


Avatar
zbet commented on 2022-12-09 09:51:00 UTC

url : hxxp://ripple-wells-2022.net/n8exrcvvse1m2/syncfiles.dll