MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07
SHA3-384 hash: 0001a573e6c28349ff42013a60da26f45776f09fc62f2536a458b7f81ea106c1e6698aeef7f63ccea95d43740fb7e78d
SHA1 hash: 5a6846a11e70f1aca4d46861572a398b9cb42d1f
MD5 hash: 1cf144ee467f24cfb465e9e0da12769b
humanhash: magazine-cat-sweet-california
File name:1cf144ee467f24cfb465e9e0da12769b.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:2'187'264 bytes
First seen:2022-05-24 03:02:09 UTC
Last seen:2022-05-24 03:39:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f3ddddcb5749a5e557391f62b3626501 (1 x SystemBC, 1 x Smoke Loader)
ssdeep 49152:Doqr+wWViBnIYI7Q9XCvn1JvRY918hdoq7b/:DDCjUyYS1pC918hdoq7b/
TLSH T1F8A59D226E9F48F2D47A26788DFB52DB58277D0038E459EE27E01F48CE397417F1129A
TrID 45.4% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
30.8% (.EXE) Win32 Executable Borland Delphi 5 (451463/56/28)
17.9% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
2.9% (.EXE) InstallShield setup (43053/19/16)
0.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter abuse_ch
Tags:exe SystemBC


Avatar
abuse_ch
SystemBC C2:
104.223.88.101:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.223.88.101:443 https://threatfox.abuse.ch/ioc/628974/

Intelligence

File Origin
# of uploads :
2
# of downloads :
288
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
systembc
Create hunting rule
ID:
1
File name:
1cf144ee467f24cfb465e9e0da12769b.exe
Verdict:
Malicious activity
Analysis date:
2022-05-24 03:08:36 UTC
Tags:
installer systembc
Link:
https://app.any.run/tasks/1b02e538-a8b4-4b9f-81a0-8525a28dd4a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SystemBC
Create hunting rule
Link:
https://www.capesandbox.com/analysis/273921/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
DNS request
Sending a custom TCP request
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/19772/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
apt control.exe fareit greyware keylogger packed qbot replace.exe ursnif
Link:
https://www.filescan.io/uploads/628c4afd6eb3ff3263262c0b/reports/d1a4e449-3ba7-4717-80cc-7a1ec46f18ac/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01694d72-0b39-4233-bbdf-169394731519
Result
Threat name:
CryptOne, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1000337
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CryptOne packer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2022-05-24 01:27:51 UTC
File Type:
PE (Exe)
Extracted files:
140
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=626ucfmvyywb7cq2hubbp7d2dxrkval7jjnn3lhxttslvxs7vudq._file
Verdict:
malicious
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/220524-dj1qdaddf5/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
SystemBC
Malware Config
C2 Extraction:
polkoirtyed.com:443
146.70.53.169:443
Unpacked files
SH256 hash:
9e6b6879645f7c3b92f4be5e73225fc043b561e67ab78c669ec196c06fdcae07
MD5 hash:
9de8aff1b9b6aa4137ddba39f8fbde55
SHA1 hash:
af6be9513075ab20ec31f93901a568aeb5d61c62
Link:
https://www.unpac.me/results/916a0b16-d6e3-46aa-9bad-978e768dec24/
SH256 hash:
f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07
MD5 hash:
1cf144ee467f24cfb465e9e0da12769b
SHA1 hash:
5a6846a11e70f1aca4d46861572a398b9cb42d1f
Link:
https://www.unpac.me/results/916a0b16-d6e3-46aa-9bad-978e768dec24/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f6bd411595c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
SystemBC
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:EXT_MAL_SystemBC_Mar22_1
Create hunting rule
Author:Thomas Barabosch, Deutsche Telekom Security
Description:Detects unpacked SystemBC module as used by Emotet in March 2022
Reference:https://twitter.com/Cryptolaemus1/status/1502069552246575105
Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:Start2_net_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2__bin
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:SystemBC_Socks
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, Socks proxy version.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe f6bd411595c62c1f8a1a3d0217fc7a1de2aa817f4a5addacf79ce4bade5fad07

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2205066/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/273921/

Comments