systembc | 9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed

General

Target

9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe
Size

95KB
MD5

60da44c3d55f57e19fbdc9b6e9219a0a
SHA1

ebe56f8ae1f7fc3e958925e0682fe4bc15bb19c9
SHA256

9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed
SHA512

765c52f5eabb2012ef113f1b81a2656390fb1527124961a7a5e401550aac864a2074b0d64b34ebe5e912e70058b6a470e5bb499041bf8c775c4a04e16c419a3c

Score

10^/10

systembc trojan

Family

systembc

C2

31.44.184.201:4081

31.44.184.202:4081

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

irqw.exeirqw.exe

pid process

1468 irqw.exe
1140 irqw.exe

pid	process
1468	irqw.exe
1140	irqw.exe

Drops file in Windows directory 2 IoCs

Processes:

9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe

description	ioc	process
File created	C:\Windows\Tasks\irqw.job	9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe
File opened for modification	C:\Windows\Tasks\irqw.job	9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe

pid process

1676 9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe

pid	process
1676	9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1188 wrote to memory of 1468	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1468	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1468	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1468	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1140	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1140	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1140	1188	taskeng.exe	irqw.exe
PID 1188 wrote to memory of 1140	1188	taskeng.exe	irqw.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {EFCAE1B0-5408-41A2-A445-3BCEBECAD78B} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\ProgramData\aubuku\irqw.exe
C:\ProgramData\aubuku\irqw.exe start2
2⤵
- Executes dropped EXE
PID:1468

C:\ProgramData\aubuku\irqw.exe
C:\ProgramData\aubuku\irqw.exe start2
2⤵
- Executes dropped EXE
PID:1140

C:\ProgramData\aubuku\irqw.exe
MD5
60da44c3d55f57e19fbdc9b6e9219a0a

SHA1
ebe56f8ae1f7fc3e958925e0682fe4bc15bb19c9

SHA256
9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed

SHA512
765c52f5eabb2012ef113f1b81a2656390fb1527124961a7a5e401550aac864a2074b0d64b34ebe5e912e70058b6a470e5bb499041bf8c775c4a04e16c419a3c

Download Submit
C:\ProgramData\aubuku\irqw.exe
MD5
60da44c3d55f57e19fbdc9b6e9219a0a

SHA1
ebe56f8ae1f7fc3e958925e0682fe4bc15bb19c9

SHA256
9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed

SHA512
765c52f5eabb2012ef113f1b81a2656390fb1527124961a7a5e401550aac864a2074b0d64b34ebe5e912e70058b6a470e5bb499041bf8c775c4a04e16c419a3c

Download Submit
C:\ProgramData\aubuku\irqw.exe
MD5
60da44c3d55f57e19fbdc9b6e9219a0a

SHA1
ebe56f8ae1f7fc3e958925e0682fe4bc15bb19c9

SHA256
9ff5246727eb8baf06d825830b061df21a7e7b8ecf0f4f584da3b886643f84ed

SHA512
765c52f5eabb2012ef113f1b81a2656390fb1527124961a7a5e401550aac864a2074b0d64b34ebe5e912e70058b6a470e5bb499041bf8c775c4a04e16c419a3c

Download Submit
memory/1140-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1676-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1676-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1676-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download