systembc | 32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06

General

Target

32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe
Size

423KB
MD5

ab52b38a4f5393e5bf919b75c0abdbdf
SHA1

1fe162d6461405f7bd2c8def91e547cf85b28638
SHA256

32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06
SHA512

c7cbf5bbba6c6b4e5069ea0f5b6343e771cfd86f6a1295d7b9b653465f3068ac0a5c9492a89f38ac81db92879642dbab8943507a72438223690bacb291d8cdbc

Score

10^/10

systembc dave trojan

Malware Config

Extracted

Family

systembc

C2

88.119.174.113:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1680-60-0x0000000000240000-0x000000000024B000-memory.dmp	dave

Executes dropped EXE 1 IoCs

Processes:

dqtuh.exe

pid process

924 dqtuh.exe

pid	process
924	dqtuh.exe

Drops file in Windows directory 2 IoCs

Processes:

32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe

description	ioc	process
File created	C:\Windows\Tasks\dqtuh.job	32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe
File opened for modification	C:\Windows\Tasks\dqtuh.job	32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe

pid process

1680 32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe

pid	process
1680	32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1368 wrote to memory of 924	1368	taskeng.exe	dqtuh.exe
PID 1368 wrote to memory of 924	1368	taskeng.exe	dqtuh.exe
PID 1368 wrote to memory of 924	1368	taskeng.exe	dqtuh.exe
PID 1368 wrote to memory of 924	1368	taskeng.exe	dqtuh.exe

C:\Users\Admin\AppData\Local\Temp\32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe
"C:\Users\Admin\AppData\Local\Temp\32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {5A81067A-4184-45E0-A961-66EBEC18B451} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\ProgramData\hjradlt\dqtuh.exe
C:\ProgramData\hjradlt\dqtuh.exe start
2⤵
- Executes dropped EXE
PID:924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hjradlt\dqtuh.exe
MD5
ab52b38a4f5393e5bf919b75c0abdbdf

SHA1
1fe162d6461405f7bd2c8def91e547cf85b28638

SHA256
32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06

SHA512
c7cbf5bbba6c6b4e5069ea0f5b6343e771cfd86f6a1295d7b9b653465f3068ac0a5c9492a89f38ac81db92879642dbab8943507a72438223690bacb291d8cdbc

Download Submit
C:\ProgramData\hjradlt\dqtuh.exe
MD5
ab52b38a4f5393e5bf919b75c0abdbdf

SHA1
1fe162d6461405f7bd2c8def91e547cf85b28638

SHA256
32e51accf5a30da12e43b3c7f83867577fcd6fb363d7773a743ab1bbb9653d06

SHA512
c7cbf5bbba6c6b4e5069ea0f5b6343e771cfd86f6a1295d7b9b653465f3068ac0a5c9492a89f38ac81db92879642dbab8943507a72438223690bacb291d8cdbc

Download Submit
memory/924-64-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/924-67-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/1680-54-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/1680-57-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download
memory/1680-58-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/1680-60-0x0000000000240000-0x000000000024B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads