MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb
SHA3-384 hash: 5e816200517c8113eca99377dfebaf9b7cb3ff2c64051df78d5dd8956876f3d9cbf0a2c3a51a7baceeaf77c526a32f43
SHA1 hash: d0e252e1486347d3a78102f6803c00245e548a96
MD5 hash: a830969d630c15b26ecf4d3f65c1ba11
humanhash: virginia-south-carpet-three
File name:f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb
Download: download sample
Signature SystemBC
Create hunting rule
File size:13'832 bytes
First seen:2022-04-20 06:49:22 UTC
Last seen:2022-04-20 07:44:48 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 15d0b563bda8248b1bc2c80e6e502bc6 (4 x SystemBC)
ssdeep 192:UHlyEnTXZ1eMLfEYzHfdgyVQ0PQ+t4XbLVOOG9bBytrPsG:sl/TXZ0MQYzHfdgyy0/8bUOG9b8Px
Threatray 141 similar samples on MalwareBazaar
TLSH T1CD52F7A7657084B2C21242703EAF2322847D65B552399015EFE00F5C7F3EB979B22F53
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:dll SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Variant.Graftor.636737.12897.6961.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay shell32.dll systembc
Link:
https://www.filescan.io/uploads/625fad20482f2f41cad76514/reports/bacf7352-420f-4e50-9195-c7ae165e9bd7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/28276b37-5a85-4b68-a6f3-e5192af1f219
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979335
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Emotet RunDLL32 Process Creation
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 611823 Sample: 2Xnyr4yIym Startdate: 20/04/2022 Architecture: WINDOWS Score: 100 23 Sigma detected: Emotet RunDLL32 Process Creation 2->23 25 Found malware configuration 2->25 27 Malicious sample detected (through community Yara rule) 2->27 29 6 other signatures 2->29 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        dnsIp5 31 System process connects to network (likely due to code injection or exploit) 9->31 19 46.166.161.93, 443, 49738, 49740 CHERRYSERVERS1-ASLT Lithuania 12->19 21 127.0.0.1 unknown unknown 12->21 17 rundll32.exe 15->17         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-01-29 06:55:40 UTC
File Type:
PE (Dll)
AV detection:
30 of 41 (73.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6oj5rkynvvlrjfsro4wbtb5xpjjmmbhiy642laijo4dzukhji25q._file
Verdict:
malicious
Similar samples:
003bd2ca89efc808a6f5e607f1d19c2d5ca1d629dfef3f324a9fbea0ce933fd7
SystemBC
118a7af7d60eaec0d2a880691bcfb39839c181447c9e669e4d093d59e936d7bd
SystemBC
4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5
SystemBC
683e6f42222caf44fdc3917be95d55a3f2213c5e3f966e33996ecd1f0743197f
SystemBC
6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
SystemBC
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
SystemBC
e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e
SystemBC
efdc1489d1024ba19acaa9a86fb0750446896947a563e6d89739254d8250a932
SystemBC
f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd
SystemBC
+ 131 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc
Link:
https://tria.ge/reports/220420-hlxhyshgbn/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Malware Config
C2 Extraction:
46.166.161.93:443
127.0.0.1:443
Unpacked files
SH256 hash:
f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb
MD5 hash:
a830969d630c15b26ecf4d3f65c1ba11
SHA1 hash:
d0e252e1486347d3a78102f6803c00245e548a96
Link:
https://www.unpac.me/results/59797286-6b59-420b-9332-5b72b17b584f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f393d8ab0dad57149651772c1987b77a52c604e8c7b9a5810977079a28e946bb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments