systembc | 99b04df64082620a08803fd947499f4662f967420327b63c6438174ed473e915

General

Target

9c08ab412dd01579a2c5709cc2f8e806.exe
Size

886KB
MD5

9c08ab412dd01579a2c5709cc2f8e806
SHA1

c63ae1a3e96950d59bf542e80f4c24b14ac9a269
SHA256

99b04df64082620a08803fd947499f4662f967420327b63c6438174ed473e915
SHA512

82bbfcb947a14a69041e36e9c6c2b12b2340286b399f122fb30816ffc81c00c7b363bf7da054fa8fd807830f6b712e26d76070a86df4667e2448190e7f793209

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

88.198.147.80:4174

78.47.64.46:4174

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

vaidc.exevaidc.exe

pid process

2264 vaidc.exe
2236 vaidc.exe
Deletes itself 1 IoCs

Processes:

vaidc.exe

pid process

2264 vaidc.exe

pid	process
2264	vaidc.exe
2236	vaidc.exe

pid	process
2264	vaidc.exe

Drops file in Windows directory 5 IoCs

Processes:

9c08ab412dd01579a2c5709cc2f8e806.exevaidc.exe9c08ab412dd01579a2c5709cc2f8e806.exe

description	ioc	process
File created	C:\Windows\Tasks\knhnasrlkedjuonhgax.job	9c08ab412dd01579a2c5709cc2f8e806.exe
File created	C:\Windows\Tasks\wow64.job	vaidc.exe
File opened for modification	C:\Windows\Tasks\wow64.job	vaidc.exe
File created	C:\Windows\Tasks\wow64.job	9c08ab412dd01579a2c5709cc2f8e806.exe
File opened for modification	C:\Windows\Tasks\wow64.job	9c08ab412dd01579a2c5709cc2f8e806.exe

C:\Users\Admin\AppData\Local\Temp\9c08ab412dd01579a2c5709cc2f8e806.exe
"C:\Users\Admin\AppData\Local\Temp\9c08ab412dd01579a2c5709cc2f8e806.exe"
1⤵
- Drops file in Windows directory
PID:3180

C:\Users\Admin\AppData\Local\Temp\9c08ab412dd01579a2c5709cc2f8e806.exe
C:\Users\Admin\AppData\Local\Temp\9c08ab412dd01579a2c5709cc2f8e806.exe start
1⤵
- Drops file in Windows directory
PID:2052

C:\Windows\TEMP\vaidc.exe
C:\Windows\TEMP\vaidc.exe
1⤵
- Executes dropped EXE
- Deletes itself
- Drops file in Windows directory
PID:2264

C:\Windows\TEMP\vaidc.exe
C:\Windows\TEMP\vaidc.exe start
1⤵
- Executes dropped EXE
PID:2236

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\vaidc.exe
MD5
5fc8b735442c0761d95300c3ab2cd3f1

SHA1
0c68b66cd251825596f6a9dbcd9cd664401012c8

SHA256
36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

SHA512
a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

Download Submit
C:\Windows\Tasks\wow64.job
MD5
a75330bc220e8b55be523c36dc7f16eb

SHA1
0a01e4d9924b5c71835ad1842643b72c48bc866e

SHA256
60f14b89660cc5fef079b68be4cf0219cd40197927d918ce8bc81a73be3287bc

SHA512
0253547eb8eeeceb9c605a9642d15887aefc23d1527ad03cd2d341b1a162784d7be7e5c098f099de165e0009bc0d9b0086de960a0abe65aa4201e5493419b8d9

Download Submit
C:\Windows\Temp\vaidc.exe
MD5
5fc8b735442c0761d95300c3ab2cd3f1

SHA1
0c68b66cd251825596f6a9dbcd9cd664401012c8

SHA256
36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

SHA512
a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

Download Submit
C:\Windows\Temp\vaidc.exe
MD5
5fc8b735442c0761d95300c3ab2cd3f1

SHA1
0c68b66cd251825596f6a9dbcd9cd664401012c8

SHA256
36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

SHA512
a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

Download Submit
memory/2052-117-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2052-119-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2236-127-0x00000000001D0000-0x00000000001F3000-memory.dmp

Filesize
140KB

Download
memory/2236-129-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2264-122-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2264-125-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3180-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3180-116-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3180-115-0x00000000006D0000-0x00000000006D5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing