systembc | f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd

Analysis

Target

25bb7618c80b2f912790e7f54f898a5f.exe
Size

959KB
MD5

25bb7618c80b2f912790e7f54f898a5f
SHA1

96ffd62a194f6436592dd9a3c59fe9223bb72611
SHA256

f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd
SHA512

d63fb34e6f6dd0d4ecde2bccf9ddb67c1516d4f4c82bce6f8479b0bfed6fafca7bd4b5f02b71859387f30ca432fc0c262df5e5739e6ba44b40f45b1e85c0e312

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

rpdk.exe

pid process

1624 rpdk.exe

pid	process
1624	rpdk.exe

Drops file in Windows directory 3 IoCs

Processes:

25bb7618c80b2f912790e7f54f898a5f.exerpdk.exe

description	ioc	process
File created	C:\Windows\Tasks\rpdk.job	25bb7618c80b2f912790e7f54f898a5f.exe
File opened for modification	C:\Windows\Tasks\rpdk.job	25bb7618c80b2f912790e7f54f898a5f.exe
File created	C:\Windows\Tasks\wiwvoaoaoaxjxjxjfpv.job	rpdk.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1220 wrote to memory of 1624	1220	taskeng.exe	rpdk.exe
PID 1220 wrote to memory of 1624	1220	taskeng.exe	rpdk.exe
PID 1220 wrote to memory of 1624	1220	taskeng.exe	rpdk.exe
PID 1220 wrote to memory of 1624	1220	taskeng.exe	rpdk.exe

C:\Users\Admin\AppData\Local\Temp\25bb7618c80b2f912790e7f54f898a5f.exe
"C:\Users\Admin\AppData\Local\Temp\25bb7618c80b2f912790e7f54f898a5f.exe"
1⤵
- Drops file in Windows directory
PID:532

C:\Windows\system32\taskeng.exe
taskeng.exe {95FFFDE9-4440-4D3A-ADEF-A454E2BBA795} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\ProgramData\qsqai\rpdk.exe
MD5
25bb7618c80b2f912790e7f54f898a5f

SHA1
96ffd62a194f6436592dd9a3c59fe9223bb72611

SHA256
f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd

SHA512
d63fb34e6f6dd0d4ecde2bccf9ddb67c1516d4f4c82bce6f8479b0bfed6fafca7bd4b5f02b71859387f30ca432fc0c262df5e5739e6ba44b40f45b1e85c0e312

Download Submit
C:\ProgramData\qsqai\rpdk.exe
MD5
25bb7618c80b2f912790e7f54f898a5f

SHA1
96ffd62a194f6436592dd9a3c59fe9223bb72611

SHA256
f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd

SHA512
d63fb34e6f6dd0d4ecde2bccf9ddb67c1516d4f4c82bce6f8479b0bfed6fafca7bd4b5f02b71859387f30ca432fc0c262df5e5739e6ba44b40f45b1e85c0e312

Download Submit
memory/1624-3-0x0000000000000000-mapping.dmp

Download