systembc | f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

General

Target

8f94de248d86fc855da27f403fca561f.exe
Size

317KB
MD5

8f94de248d86fc855da27f403fca561f
SHA1

0ebd03d681c58e8431c761f695e49682860137f5
SHA256

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11
SHA512

ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

186.2.171.65:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

arewpa.exelbpcdfa.exejkgolp.exe

pid process

864 arewpa.exe
1340 lbpcdfa.exe
1192 jkgolp.exe

pid	process
864	arewpa.exe
1340	lbpcdfa.exe
1192	jkgolp.exe

Drops file in Windows directory 5 IoCs

Processes:

8f94de248d86fc855da27f403fca561f.exearewpa.exelbpcdfa.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\arewpa.job	8f94de248d86fc855da27f403fca561f.exe
File created	C:\Windows\Tasks\dsrkliatvisxkuqcnat.job	arewpa.exe
File created	C:\Windows\Tasks\jkgolp.job	lbpcdfa.exe
File opened for modification	C:\Windows\Tasks\jkgolp.job	lbpcdfa.exe
File created	C:\Windows\Tasks\arewpa.job	8f94de248d86fc855da27f403fca561f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8f94de248d86fc855da27f403fca561f.exelbpcdfa.exe

pid process

2768 8f94de248d86fc855da27f403fca561f.exe
2768 8f94de248d86fc855da27f403fca561f.exe
1340 lbpcdfa.exe
1340 lbpcdfa.exe

pid	process
2768	8f94de248d86fc855da27f403fca561f.exe
2768	8f94de248d86fc855da27f403fca561f.exe
1340	lbpcdfa.exe
1340	lbpcdfa.exe

C:\Users\Admin\AppData\Local\Temp\8f94de248d86fc855da27f403fca561f.exe
"C:\Users\Admin\AppData\Local\Temp\8f94de248d86fc855da27f403fca561f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\ProgramData\fkligm\arewpa.exe
C:\ProgramData\fkligm\arewpa.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:864

C:\Windows\TEMP\lbpcdfa.exe
C:\Windows\TEMP\lbpcdfa.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\ProgramData\ateu\jkgolp.exe
C:\ProgramData\ateu\jkgolp.exe start
1⤵
- Executes dropped EXE
PID:1192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ateu\jkgolp.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\ateu\jkgolp.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\fkligm\arewpa.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\fkligm\arewpa.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\TEMP\lbpcdfa.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\Tasks\arewpa.job

MD5
b68f39eee06288913e2599ccdb0c61c8

SHA1
eb56bcdc25fc91be179aa9cc88e92f8c3fd9ec5b

SHA256
c761a004f6676177dd38e772cc94f09f8c4049aba07bebc5d88a4ad7e60d7b9d

SHA512
818af4b5acd17621835244611076545885dd747ecea291d3252d0de0c0a0403b93e67b445ef3e3fc062b318ed123b35d317df4f25a2b5729879b0eb2c857f43c

Download Submit
C:\Windows\Temp\lbpcdfa.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
memory/864-120-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/864-121-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1192-129-0x0000000000460000-0x000000000050E000-memory.dmp

Filesize
696KB

Download
memory/1192-130-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1340-125-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/1340-126-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2768-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2768-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2768-116-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads