systembc | f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99

Analysis

Target

f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe
Size

108KB
MD5

548bee2bd83ff511d62db68fcfc554d7
SHA1

03186cad78ac23cf144ccdf5d28690f53f96eb91
SHA256

f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99
SHA512

474b9ee971d8fb5b7c43e003220dff88fafe1f5684d34c9d4948d6a3c2b619cec9bf1a6c6f4ca69b446af7a28a14265d4443f2ba74c6b3756c7915d3ea9f3568

Score

10^/10

systembc trojan

Family

systembc

139.60.161.58:4125

192.155.111.215:4125

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qsqate.exe

pid process

1240 qsqate.exe

pid	process
1240	qsqate.exe

Drops file in Windows directory 2 IoCs

Processes:

f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe

description	ioc	process
File created	C:\Windows\Tasks\qsqate.job	f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe
File opened for modification	C:\Windows\Tasks\qsqate.job	f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe

pid process

1688 f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe

pid	process
1688	f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 696 wrote to memory of 1240	696	taskeng.exe	qsqate.exe
PID 696 wrote to memory of 1240	696	taskeng.exe	qsqate.exe
PID 696 wrote to memory of 1240	696	taskeng.exe	qsqate.exe
PID 696 wrote to memory of 1240	696	taskeng.exe	qsqate.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {A4D98FD0-9FD1-47CF-94AC-378DD9E45A59} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\ProgramData\qubbglr\qsqate.exe
C:\ProgramData\qubbglr\qsqate.exe start
2⤵
- Executes dropped EXE
PID:1240

C:\ProgramData\qubbglr\qsqate.exe
MD5
548bee2bd83ff511d62db68fcfc554d7

SHA1
03186cad78ac23cf144ccdf5d28690f53f96eb91

SHA256
f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99

SHA512
474b9ee971d8fb5b7c43e003220dff88fafe1f5684d34c9d4948d6a3c2b619cec9bf1a6c6f4ca69b446af7a28a14265d4443f2ba74c6b3756c7915d3ea9f3568

Download Submit
C:\ProgramData\qubbglr\qsqate.exe
MD5
548bee2bd83ff511d62db68fcfc554d7

SHA1
03186cad78ac23cf144ccdf5d28690f53f96eb91

SHA256
f29484e8e60d1104bb60a504279909f7d4c5a68d77d794dcaed4758d95989a99

SHA512
474b9ee971d8fb5b7c43e003220dff88fafe1f5684d34c9d4948d6a3c2b619cec9bf1a6c6f4ca69b446af7a28a14265d4443f2ba74c6b3756c7915d3ea9f3568

Download Submit
memory/1240-60-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1688-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1688-55-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1688-56-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download