MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SystemBC


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
SHA3-384 hash: 6a7a409c3fe7fa6dc248edc44c97050758365429fd73e0ad06dcd43efb4b13238d4d02616bd818a53b9d7fa2905808e3
SHA1 hash: 73594de56be8beaf92392af56c8bcc2fa44a6eac
MD5 hash: a7cbdc69144242409bce8285135b61f8
humanhash: alpha-golf-nineteen-social
File name:a7cbdc69144242409bce8285135b61f8.exe
Download: download sample
Signature SystemBC
Create hunting rule
File size:228'864 bytes
First seen:2022-03-26 15:56:39 UTC
Last seen:2022-03-26 17:33:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ed1b2792ced7a8e7bb849a84d01e5fcb (9 x Smoke Loader, 5 x RedLineStealer, 5 x Stop)
ssdeep 1536:3pKr2jztTQudAGkD32Vrz0O1gtLA6q88vwzk/KYO1jD+fbPp8U45INU5h2lx//9I:3pKr2asc3+9yYO1jkLp8x5IiCx//9I
Threatray 76 similar samples on MalwareBazaar
TLSH T1DF24D0223690D031C4871A71B439CAAC5DBEE93117760E4B37A9167E5F303D1AABB74E
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter abuse_ch
Tags:exe SystemBC

Intelligence

File Origin
# of uploads :
2
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Detection:
MiniTor
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258047/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.5938.30403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/11517/overview
Behaviour
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/623f37d89253b276b77a46ca/reports/14a4478d-a7a7-4252-b601-f02228a062d5/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SystemBC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7490eb5c-a543-4a59-a436-fd0736548454
Result
Threat name:
SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965103
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
Detection:
systembc
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d/
Threat name:
Win32.Backdoor.Coroxy
Create hunting rule
Status:
Malicious
First seen:
2022-03-26 13:28:00 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ci6cde2pnwqzo53nm6rapht3sjvkqkdbrjwgzeonyndea5525wq._file
Verdict:
malicious
Similar samples:
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
SystemBC
318e0bd67ccbf40f50b848831fb2885b161e68acdfaaa0c619c79b3912af2ecd
SystemBC
63e7464225916f05a6dc4576721fae7a3a449fdab81072f28ba9a4bf5e9a54f9
SystemBC
91647ac947d5d5d3a0dc69e98070bfc2f9841d7839b579d69c524b02869a497f
SystemBC
9e5f370201251e8dc138678f8e0d4f0bdd75e1353edcc77d41c8401621c2c671
SystemBC
e7174b9891b41bf0459fd6fe3f6ab5c63aa5ab4883b02d32325dd19f6d1ed71f
SystemBC
e86c00bb96428b8c113169da2c996f457ed22467c5ad998e87bb48b65e98ab36
SystemBC
f0562d49226fc4776a7991b14f43b2c7a572ae276adef3d3dc3678b8b0894401
SystemBC
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11
SystemBC
+ 66 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:systembc trojan
Link:
https://tria.ge/reports/220326-tdzh5aeeh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Downloads MZ/PE file
Executes dropped EXE
SystemBC
Malware Config
C2 Extraction:
31.44.185.6:4001
31.44.185.11:4001
Unpacked files
SH256 hash:
b432805eb6b2b58dd957481aa8a973be58915c26c04630ce395753c6a5196b14
MD5 hash:
5403c11319b16a89e7665141f8bff9fb
SHA1 hash:
9c9ae4bdf521749f23267644e7346f7ee2ad98ab
Detections:
win_systembc_g0
Create hunting rule
win_systembc_auto
Create hunting rule
Link:
https://www.unpac.me/results/e2a0672b-2da9-4a41-ad40-e4cf75da43e0/
Parent samples :
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
055bb90b6b1355dfbd03fc77826720e14b37934a078fa1caa1ef0e47e04a99e8
69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d
9b2d89057155cd1cec731e83a0946cf95772134f0069da737fa30935b5a9b325
e77eb0d03b445cf74f20c2614b1135b62da61ecf0d7c48194b71b8f73297272d
11c509649c391209ce09bc178ebffcfc7cbfcf038ce699aebfd1303191c136aa
a35480f93ad4d0de19c119b903f6317cc8e59e779b654ec8f4bd5df4535267c6
SH256 hash:
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
MD5 hash:
a7cbdc69144242409bce8285135b61f8
SHA1 hash:
73594de56be8beaf92392af56c8bcc2fa44a6eac
Link:
https://www.unpac.me/results/e2a0672b-2da9-4a41-ad40-e4cf75da43e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_EXEPWSH_DLAgent
Create hunting rule
Author:ditekSHen
Description:Detects SystemBC
Rule name:MiniTor
Create hunting rule
Author:@bartblaze
Description:Identifies MiniTor implementation as seen in SystemBC and Parallax RAT.
Reference:https://news.sophos.com/en-us/2020/12/16/systembc/
Rule name:Start2_net_mem
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:Start2_overlap_mem
Create hunting rule
Author:James_inthe_box
Description:SystemBC
Reference:7bd341488dc6f01a6662ac478d67d3cd8211cbf362994355027b5bdf573cc31e
Rule name:SystemBC_Config
Create hunting rule
Author:@bartblaze
Description:Identifies SystemBC RAT, decrypted config.
Rule name:win_systembc_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.systembc.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SystemBC

Executable exe f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2108799/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/258047/

Comments