systembc | 1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

Analysis

Target

1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe
Size

51KB
MD5

914a8a27c511bacea375dbee8d88e165
SHA1

d017bdad365f3ecfda7a0c0936f6ed8c708c413c
SHA256

1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66
SHA512

884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

Score

10^/10

systembc trojan

Family

systembc

141.255.166.149:4125

5.188.62.165:4125

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

vtqx.exe

pid process

1072 vtqx.exe

pid	process
1072	vtqx.exe

Drops file in Windows directory 2 IoCs

Processes:

1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

description	ioc	process
File created	C:\Windows\Tasks\vtqx.job	1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe
File opened for modification	C:\Windows\Tasks\vtqx.job	1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

pid process

1692 1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

pid	process
1692	1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 664 wrote to memory of 1072	664	taskeng.exe	vtqx.exe
PID 664 wrote to memory of 1072	664	taskeng.exe	vtqx.exe
PID 664 wrote to memory of 1072	664	taskeng.exe	vtqx.exe
PID 664 wrote to memory of 1072	664	taskeng.exe	vtqx.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {8A4B37B6-D5D7-42D8-8B3E-E06B096CD482} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\ProgramData\hfbsc\vtqx.exe
C:\ProgramData\hfbsc\vtqx.exe start
2⤵
- Executes dropped EXE
PID:1072

C:\ProgramData\hfbsc\vtqx.exe
MD5
914a8a27c511bacea375dbee8d88e165

SHA1
d017bdad365f3ecfda7a0c0936f6ed8c708c413c

SHA256
1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

SHA512
884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

Download Submit
C:\ProgramData\hfbsc\vtqx.exe
MD5
914a8a27c511bacea375dbee8d88e165

SHA1
d017bdad365f3ecfda7a0c0936f6ed8c708c413c

SHA256
1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

SHA512
884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

Download Submit
memory/1692-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1692-55-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1692-56-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download