systembc | ecdcff5459c84b727f0e89ecf20e4173c13cf45da842a5a3f89eef97b469f6d8

General

Target

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
Size

148KB
MD5

a6bb96f7c9972db7d27a415742d57a88
SHA1

d8e3c322e66d714db5a947ea0804f112f7971734
SHA256

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb
SHA512

e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

mxblogs19.xyz:4044

sdadvert20.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ooifrs.exe

pid process

2476 ooifrs.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
2476	ooifrs.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

description	ioc	process
File created	C:\Windows\Tasks\ooifrs.job	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
File opened for modification	C:\Windows\Tasks\ooifrs.job	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

pid	process
2568	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
2568	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
"C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2568

C:\ProgramData\qdcxw\ooifrs.exe
C:\ProgramData\qdcxw\ooifrs.exe start
1⤵
- Executes dropped EXE
PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qdcxw\ooifrs.exe

MD5
a6bb96f7c9972db7d27a415742d57a88

SHA1
d8e3c322e66d714db5a947ea0804f112f7971734

SHA256
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

SHA512
e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Download Submit
C:\ProgramData\qdcxw\ooifrs.exe

MD5
a6bb96f7c9972db7d27a415742d57a88

SHA1
d8e3c322e66d714db5a947ea0804f112f7971734

SHA256
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

SHA512
e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Download Submit
memory/2476-123-0x00000000035AD000-0x00000000035B4000-memory.dmp

Filesize
28KB

Download
memory/2476-124-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/2568-118-0x0000000003503000-0x0000000003509000-memory.dmp

Filesize
24KB

Download
memory/2568-119-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2568-120-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download

Analysis

Sharing