MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 16


Intelligence 16 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
SHA3-384 hash: 016f8fe53397b1e7a419246826e52e58756934e50ae3f82bfebf846525566ebeb3576fe1d50584ea09ffa78f0fc670fe
SHA1 hash: eb2616d7fbe11f4540f04025e686a3236dace506
MD5 hash: 8935e77a0d58fd07dbe8e094c6bacf6f
humanhash: mirror-virginia-princess-wisconsin
File name:8935e77a0d58fd07dbe8e094c6bacf6f
Download: download sample
Signature SystemBC
Create hunting rule
File size:664'064 bytes
First seen:2024-01-28 08:56:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:dmBEkzH4KgftBrzP3p9L5tsavDlUtapp3WIRL3XyfqkpFL:eE44KgFBrrTz5vhUCUCkpF
TLSH T140E4CF5923184B17CBA6A3709A7393120661F9FBA4B3C70783C8717A545B6EF1FE0B49
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe SystemBC

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b.exe
Verdict:
Malicious activity
Analysis date:
2024-01-28 08:59:20 UTC
Tags:
systembc proxy botnet
Link:
https://app.any.run/tasks/ab883c96-400a-412a-86b8-dd7d9db4856e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/473244/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Win.Trojan.Generic-10014419-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65b616de40cbb80fe0476103/reports/4710df63-5616-4afb-b6a9-bf159566655d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8f7a2f3-8893-4bf6-91bf-70d4719e339a
Result
Threat name:
PureLog Stealer, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1382259
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1382259 Sample: 6oBtHbzNJC.exe Startdate: 28/01/2024 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 8 other signatures 2->54 7 6oBtHbzNJC.exe 1 3 2->7         started        11 Nbsdtzto.exe 3 2->11         started        13 powershell.exe 2->13         started        15 2 other processes 2->15 process3 file4 42 C:\Users\user\AppData\Roaming42bsdtzto.exe, PE32 7->42 dropped 64 Creates multiple autostart registry keys 7->64 66 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->66 68 Injects a PE file into a foreign processes 7->68 17 6oBtHbzNJC.exe 1 7->17         started        21 6oBtHbzNJC.exe 7->21         started        70 Antivirus detection for dropped file 11->70 72 Multi AV Scanner detection for dropped file 11->72 74 Machine Learning detection for dropped file 11->74 23 Nbsdtzto.exe 11->23         started        35 2 other processes 11->35 25 6oBtHbzNJC.exe 2 13->25         started        27 conhost.exe 13->27         started        29 6oBtHbzNJC.exe 2 15->29         started        31 Nbsdtzto.exe 15->31         started        33 conhost.exe 15->33         started        signatures5 process6 dnsIp7 44 69.10.60.115, 4018, 49735, 49741 IS-AS-1US United States 17->44 56 Creates autostart registry keys with suspicious values (likely registry only malware) 17->56 46 127.0.0.1 unknown unknown 23->46 58 Injects a PE file into a foreign processes 25->58 37 6oBtHbzNJC.exe 25->37         started        40 6oBtHbzNJC.exe 29->40         started        signatures8 process9 signatures10 60 Creates autostart registry keys with suspicious values (likely registry only malware) 37->60 62 Creates multiple autostart registry keys 37->62
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2024-01-28 08:57:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=53ez4c3tcnrdzzf3cuyfczrwrp3frlryl6ivygmtzkpsizqodfvq._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:systembc family:zgrat persistence rat trojan
Link:
https://tria.ge/reports/240128-kwkm9afdg4/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
SystemBC
ZGRat
Detect ZGRat V1
Malware Config
C2 Extraction:
69.10.60.115:4018
Unpacked files
SH256 hash:
e63a911ace589c223d9a5742a0813a8acfe6a07f1d6a569a93f00e3f4d9f3583
MD5 hash:
f6027fb8824e1c97d7751e97d3d5794f
SHA1 hash:
e27ca84e11313e7cb2989a2bc96251b2f614f25a
Detections:
MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Link:
https://www.unpac.me/results/e88674da-5d14-4ba9-8f92-ddcc3ce461d0/
Parent samples :
e63a911ace589c223d9a5742a0813a8acfe6a07f1d6a569a93f00e3f4d9f3583
eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
SH256 hash:
10971cf2196f5ce5af57857d68625f63367534cef8335bd37ebd9b07100d1532
MD5 hash:
592e04f94de34346957f4d05619321f4
SHA1 hash:
db7af24bf2cf5919295689e6da3bf8e123f919b1
Link:
https://www.unpac.me/results/e88674da-5d14-4ba9-8f92-ddcc3ce461d0/
SH256 hash:
52337d75f4c310677c8e2a5b5a0b5aeb993187b874e3e2d235d7f6e58a85e94e
MD5 hash:
592e6fac86b991d369cfd4c39b98d777
SHA1 hash:
480b130fd1912e1cd7af873aa5a9e49383efd40a
Link:
https://www.unpac.me/results/e88674da-5d14-4ba9-8f92-ddcc3ce461d0/
SH256 hash:
a37bae433a211204966932fb2fe7740ed5e1a1254834cf61b2c9632579448cf4
MD5 hash:
db98550a634877e206d16633eeebe7d1
SHA1 hash:
1baf5808fa737a270de34d57cf2ba9dbff164c7f
Link:
https://www.unpac.me/results/e88674da-5d14-4ba9-8f92-ddcc3ce461d0/
SH256 hash:
eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b
MD5 hash:
8935e77a0d58fd07dbe8e094c6bacf6f
SHA1 hash:
eb2616d7fbe11f4540f04025e686a3236dace506
Detections:
Typical_Malware_String_Transforms
Create hunting rule
Link:
https://www.unpac.me/results/e88674da-5d14-4ba9-8f92-ddcc3ce461d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe eec99e0b7313623ce4bb15305166368bf658ae385f915c1993ca9f24660e196b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2752583/
Cape
Cape
https://www.capesandbox.com/analysis/473244/

Comments


Avatar
zbet commented on 2024-01-28 08:56:29 UTC

url : hxxp://69.10.60.115/gplmpn/Rekjotxg.exe