MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad
SHA3-384 hash: b1db44c63d2feca48b5b1cb63db7b5137e7936f1974409e822a8cd6f534dd3c95194764875eca8923a4e323a4873de01
SHA1 hash: c859ee290ee24e952bfb4c4b3d155e4af19276b6
MD5 hash: 4dcfac67c5665f33265025373ad19396
humanhash: carbon-snake-ohio-summer
File name:4dcfac67c5665f33265025373ad19396.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:2'617'568 bytes
First seen:2023-01-06 09:35:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 650ed02ca4b6baad6b24f20402b6268b (7 x RedLineStealer, 1 x CryptBot, 1 x RemcosRAT)
ssdeep 49152:zdGgHvZTQNHpHWqqT6r/xscnaPZJL8Qb9zJhS/qoK+/gb048J:zdCNHpHWqqTaps/jLRbJqioz/gbB8J
Threatray 4'294 similar samples on MalwareBazaar
TLSH T18EC533003F9DA0B9F1D34175DB54AE63413D79B8475884DBBBF01C43AB6ABD2CA39286
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d1f9dcd98da7d9e9 (1 x SystemBC)
Reporter abuse_ch
Tags:exe signed SystemBC

Code Signing Certificate

Organisation:AMD
Issuer:AMD
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-21T00:00:00Z
Valid to:2029-12-21T00:00:00Z
Serial number: 322b8ea045a1bb76
Thumbprint Algorithm:SHA256
Thumbprint: 692b9060ce43bc3774903ededcd6ac74660e1cec097562a7a311315766022123
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
SystemBC C2:
23.137.249.215:4001

Intelligence

File Origin
# of uploads :
1
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
4dcfac67c5665f33265025373ad19396.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 09:38:33 UTC
Tags:
systembc trojan
Link:
https://app.any.run/tasks/0fc716c2-92b3-4ba8-a369-0e02c4f1c195

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349916/
Detection(s):
Win.Malware.Pterodo-9865184-0
Create hunting rule

Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger overlay packed shell32.dll systembc
Link:
https://www.filescan.io/uploads/63b7eb83b9b1c17375208c04/reports/a6ec7e5e-66b1-44e8-8c93-b03ae3521275/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69cd6847-3e7f-4550-ae51-b531bde1e24d
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1146150
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 778878 Sample: bfpj406Xlj.exe Startdate: 06/01/2023 Architecture: WINDOWS Score: 92 30 ocsp.sectigo.com 2->30 34 Snort IDS alert for network traffic 2->34 36 Antivirus detection for dropped file 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 4 other signatures 2->40 8 bfpj406Xlj.exe 8 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 8->26 dropped 28 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 8->28 dropped 42 Contains functionality to register a low level keyboard hook 8->42 12 cmd.exe 2 8->12         started        signatures6 process7 process8 14 socks2.exe 12->14         started        17 7z.exe 2 12->17         started        20 7z.exe 3 12->20         started        22 12 other processes 12->22 dnsIp9 32 23.137.249.215, 4001, 49694 GTLAKESUS Reserved 14->32 24 C:\Users\user\AppData\Local\...\socks2.exe, PE32 17->24 dropped file10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad/
Threat name:
Win32.Backdoor.Systembc
Create hunting rule
Status:
Malicious
First seen:
2022-12-30 05:58:38 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xmdcf3ebprjtbvx6dedhxmzwwqyfa5dtuczxisupkoofz64ccwq._file
Verdict:
malicious
Similar samples:
062d46c5e1575cce5d4851bfdf3482843ed8fe129c3d5017b1581fd9e783a385
SystemBC
2b460be5f1a90e3646a9dd03e95752f824adcfe2e2e15a746aa8d4844398f454
SystemBC
2c03b271f9f6870ba2d36e812d737d841b3fec61d0f1404271af57cfee4610a8
SystemBC
bcede46445b13b3def4d8363b1365903a72f3ed6c09ff078bd3a090f65ed0937
SystemBC
ee99ebb5242fcb97bf73e360b27a7cbc100483e46421b8af6676413fbda19a83
SystemBC
f611711bbcb210e6e679026be24fd78215dc623abfb926d6811274eec16a3ca7
SystemBC
f627cdcd4882aeee1329e0fb22e0cede29c0c743f40a002cbdbd1a4c2c6592ca
SystemBC
+ 4'284 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/230106-lkxzwafe87/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
SystemBC
Malware Config
C2 Extraction:
23.137.249.215:4001
reserve-domain.com:4001
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/44c25f8c-2290-4e99-b02e-7aaa03fc7b8f
Unpacked files
SH256 hash:
7414e9611bbdd625eab5d4a0f0053b9394a22d277df6317d697c9f64035bcd3e
MD5 hash:
4ad7ab2b2a9359531b8aae4fd7fe402d
SHA1 hash:
28c32a5e249e96666bb54e10ec438b6b94c5057f
Link:
https://www.unpac.me/results/f2b29207-cb5f-4c2a-a506-2e1d3c6e1a09/
SH256 hash:
f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad
MD5 hash:
4dcfac67c5665f33265025373ad19396
SHA1 hash:
c859ee290ee24e952bfb4c4b3d155e4af19276b6
Link:
https://www.unpac.me/results/f2b29207-cb5f-4c2a-a506-2e1d3c6e1a09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/f5d83117640be29986b7f0c833dd99b5a18283a39d059ba2547a9ce2e7dc10ad

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349916/

Comments