MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SystemBC

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
SHA3-384 hash:	39b06aed590f8d4eed61abf325b7bf8f3a83f1472d08cd68277835f32a86dd5f93d14b8e3457951a27c9ba0e2eec712c
SHA1 hash:	dc865394a456b89282bf248eeff3509ec0116911
MD5 hash:	e62582236c24973720e092adec05f8c5
humanhash:	connecticut-three-monkey-carolina
File name:	e62582236c24973720e092adec05f8c5.exe
Download:	download sample
Signature	SystemBC Create hunting rule
File size:	160'256 bytes
First seen:	2023-01-25 20:29:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3387a3592629261940cdc4764a709ef2 (1 x SystemBC)
ssdeep	3072:SXiOd5A7ENBKYEm9/1fUQcl7XcOOILUJC2PsrZLILNNOmr:SXiEA7EfKYE6RU1AnvspsP
TLSH	T1F4F3AD2932D1C033D047457459E3CAB5AE6AF8350F6A5A8B7BC41B7D5F303E29B2A346
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	eedaaed6e6f2eaf0 (1 x SystemBC)
Reporter	abuse_ch
Tags:	exe SystemBC

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

systembc

ID:

File name:

e62582236c24973720e092adec05f8c5.exe

Verdict:

Malicious activity

Analysis date:

2023-01-25 20:32:35 UTC

Tags:

systembc

Link:

https://app.any.run/tasks/0cf9c4e0-1429-4aa8-8c75-eed3e7e602c2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/356844/

Detection(s):

Win.Malware.Generickdz-9810688-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for the window

Creating a file

Creating a process from a recently created file

Sending a custom TCP request

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/63072/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63d191101c9cbf7d6252b50c/reports/9fd46214-de12-4b68-bb0c-aadd828ee413/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

SystemBC

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20c11587-f6a7-4430-a26b-ad0c2bddaf55

Result

Threat name:

SystemBC

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1159170

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

May use the Tor software to hide its network traffic

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Snort IDS alert for network traffic

Tries to detect virtualization through RDTSC time measurements

Uses known network protocols on non-standard ports

Yara detected SystemBC

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23/

Threat name:

Win32.Trojan.MintZitirez

Status:

Malicious

First seen:

2020-12-02 13:03:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

30 of 39 (76.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7nc2665y77on3kxmfkpirfupxs4c5lw334obnj7jvsdbsbvapyrq._file

Result

Malware family:

systembc

Score:

10/10

Tags:

family:systembc trojan

Link:

https://tria.ge/reports/230125-y9kgascb3t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Looks up external IP address via web service

Uses Tor communications

Executes dropped EXE

SystemBC

Malware Config

C2 Extraction:

advertrex20.xyz:4044
gentexman37.xyz:4044

Unpacked files

SH256 hash:

60fef0b74db9562cfb9a906716975a8534d97b493911a939a40b69b1969ca0d3

MD5 hash:

e07af3db58067875967cf8817ab08378

SHA1 hash:

2a72e308dbf6a68f9d19013ee0f55d7183a9d3ff

Detections:

SystemBC

win_systembc_g0

Link:

https://www.unpac.me/results/f1ab766f-2106-4251-be33-cdf28a76ce76/

Parent samples :

d0c19e8c1317c52d421450e5605061b620d2b301d8e1a9811db6615c4d56b89f
08fd0983b9d0d9cd5947e885da8031fdf54d02a89a5d274e1c18bc8967bdde00
d896fea673941330bf9b4aca5ad7bd1b5e12d3768bfaea9521c843ac1324c629
36a101b5a13436dd67e2b33c2abbae7cdd86a7ed951185a1914c12685339ad74
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23

SH256 hash:

fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23

MD5 hash:

e62582236c24973720e092adec05f8c5

SHA1 hash:

dc865394a456b89282bf248eeff3509ec0116911

Link:

https://www.unpac.me/results/f1ab766f-2106-4251-be33-cdf28a76ce76/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	MALWARE_Win_EXEPWSH_DLAgent Create hunting rule
Author:	ditekSHen
Description:	Detects SystemBC

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	MiniTor Create hunting rule
Author:	@bartblaze
Description:	Identifies MiniTor implementation as seen in SystemBC and Parallax RAT.
Reference:	https://news.sophos.com/en-us/2020/12/16/systembc/

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/356844/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample