systembc | a601e754a8af2b3a971c1d124ac92a20631e3d393fba18e66751b5d0bff2b100

General

Target

73aa2035ead90068d5a7ef4b1ebe0625.exe
Size

139KB
MD5

73aa2035ead90068d5a7ef4b1ebe0625
SHA1

ecb5a651c0c7cb689bdbfeb1d5bc5300d3af235f
SHA256

a601e754a8af2b3a971c1d124ac92a20631e3d393fba18e66751b5d0bff2b100
SHA512

6d8d38c112ed58d31e33d75e9e9c2e7cf0d3c391e360b40565168f0b535ff157e99a9e378de87b2b970ddcb7accf4f5c7cb231bcd7b7c10b4824519db296b5b3

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

176.111.174.63:1500

192.168.1.149:1500

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

cxabv.execxabv.exe

pid process

2044 cxabv.exe
3656 cxabv.exe

pid	process
2044	cxabv.exe
3656	cxabv.exe

Drops file in Windows directory 5 IoCs

Processes:

73aa2035ead90068d5a7ef4b1ebe0625.exe73aa2035ead90068d5a7ef4b1ebe0625.execxabv.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	73aa2035ead90068d5a7ef4b1ebe0625.exe
File opened for modification	C:\Windows\Tasks\wow64.job	73aa2035ead90068d5a7ef4b1ebe0625.exe
File created	C:\Windows\Tasks\rkmntkfuptuqtuvwvwx.job	73aa2035ead90068d5a7ef4b1ebe0625.exe
File created	C:\Windows\Tasks\wow64.job	cxabv.exe
File opened for modification	C:\Windows\Tasks\wow64.job	cxabv.exe

C:\Users\Admin\AppData\Local\Temp\73aa2035ead90068d5a7ef4b1ebe0625.exe
"C:\Users\Admin\AppData\Local\Temp\73aa2035ead90068d5a7ef4b1ebe0625.exe"
1⤵
- Drops file in Windows directory
PID:496

C:\Users\Admin\AppData\Local\Temp\73aa2035ead90068d5a7ef4b1ebe0625.exe
C:\Users\Admin\AppData\Local\Temp\73aa2035ead90068d5a7ef4b1ebe0625.exe start
1⤵
- Drops file in Windows directory
PID:2868

C:\Windows\TEMP\cxabv.exe
C:\Windows\TEMP\cxabv.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044

C:\Windows\TEMP\cxabv.exe
C:\Windows\TEMP\cxabv.exe start
1⤵
- Executes dropped EXE
PID:3656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\cxabv.exe
MD5
e6d1e080cea89eab46ccd90418b62ec7

SHA1
96a973d29338f6b0a5cb89137079288be310f108

SHA256
e3f50eb014303e76554bc0b9fbdda2fce64189184dfc51e8416f082d571cce6c

SHA512
3e3ae4d9596026d6c8bc345f0756ec5e8c560e76df3b2b78bf1c7169197a89b9abb7211f22c3a438938fdebf32b469ffae970bbe686b60989d21dd22e3b744e2

Download Submit
C:\Windows\Tasks\wow64.job
MD5
963ca8e28fe89f7a3efdffe9deb7a3cc

SHA1
3c63067154c607208a7ea31ee332caf04d0cffd1

SHA256
000e1c00be63dde539079109330fb60e9475ad2c72c9062a322ad4ac9fcf4a5c

SHA512
03a2519dedd168f983c7e3dbbd79c5636f6d4a305a013c8d9f3edba9182ebfc75f12552fd89ee30a16b5ccbedb160defb830c0338d78d7d017deeceeeb03fbdc

Download Submit
C:\Windows\Temp\cxabv.exe
MD5
e6d1e080cea89eab46ccd90418b62ec7

SHA1
96a973d29338f6b0a5cb89137079288be310f108

SHA256
e3f50eb014303e76554bc0b9fbdda2fce64189184dfc51e8416f082d571cce6c

SHA512
3e3ae4d9596026d6c8bc345f0756ec5e8c560e76df3b2b78bf1c7169197a89b9abb7211f22c3a438938fdebf32b469ffae970bbe686b60989d21dd22e3b744e2

Download Submit
C:\Windows\Temp\cxabv.exe
MD5
e6d1e080cea89eab46ccd90418b62ec7

SHA1
96a973d29338f6b0a5cb89137079288be310f108

SHA256
e3f50eb014303e76554bc0b9fbdda2fce64189184dfc51e8416f082d571cce6c

SHA512
3e3ae4d9596026d6c8bc345f0756ec5e8c560e76df3b2b78bf1c7169197a89b9abb7211f22c3a438938fdebf32b469ffae970bbe686b60989d21dd22e3b744e2

Download Submit
memory/496-2-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/496-3-0x0000000000030000-0x0000000000035000-memory.dmp

Filesize
20KB

Download
memory/496-4-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2044-10-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3656-15-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing