systembc | 12fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac

Analysis

Target

socks-null.exe
Size

29KB
MD5

d474d6c26cfcb09d74b1d499ef410786
SHA1

4dbf718297e3dc14d0ed4e615b2b6d7f7884bb58
SHA256

12fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac
SHA512

d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

xlfki.exe

pid process

496 xlfki.exe
Drops file in Windows directory 2 IoCs

Processes:

socks-null.exe

description ioc process

File opened for modification C:\Windows\Tasks\xlfki.job socks-null.exe
File created C:\Windows\Tasks\xlfki.job socks-null.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

socks-null.exe

pid process

808 socks-null.exe
808 socks-null.exe

pid	process
496	xlfki.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\xlfki.job	socks-null.exe
File created	C:\Windows\Tasks\xlfki.job	socks-null.exe

pid	process
808	socks-null.exe
808	socks-null.exe

C:\ProgramData\bbao\xlfki.exe
C:\ProgramData\bbao\xlfki.exe start
1⤵
- Executes dropped EXE
PID:496

C:\ProgramData\bbao\xlfki.exe
MD5
d474d6c26cfcb09d74b1d499ef410786

SHA1
4dbf718297e3dc14d0ed4e615b2b6d7f7884bb58

SHA256
12fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac

SHA512
d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5

Download Submit
C:\ProgramData\bbao\xlfki.exe
MD5
d474d6c26cfcb09d74b1d499ef410786

SHA1
4dbf718297e3dc14d0ed4e615b2b6d7f7884bb58

SHA256
12fb1d0ec7c8d790cbb49d2e4ece2a59c4d46a31d4c740c94e994d342f2445ac

SHA512
d357e3e29a4e81475a6537b352ea0fe5ad6f76457b610bcae5204dcd263cb7f02691cbc6b56ab8218569ec0061e0a80b0b5836a16cb5d2a5d05fca0935bcc2e5

Download Submit