systembc | cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

General

Target

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe
Size

232KB
MD5

f7205e928a07057d45dd80680d956abc
SHA1

429cebb14558371bbb1535743ff4b8c4c2401742
SHA256

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
SHA512

c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Score

10^/10

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Executes dropped EXE 1 IoCs

Processes:

qnqjuah.exe

pid process

3180 qnqjuah.exe

pid	process
3180	qnqjuah.exe

Drops file in Windows directory 2 IoCs

Processes:

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

description	ioc	process
File created	C:\Windows\Tasks\qnqjuah.job	cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe
File opened for modification	C:\Windows\Tasks\qnqjuah.job	cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

644 3088 WerFault.exe cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

pid	pid_target	process	target process
644	3088	WerFault.exe	cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

pid	process
3088	cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe
3088	cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 556
2⤵
- Program crash
PID:644

C:\ProgramData\codnddd\qnqjuah.exe
C:\ProgramData\codnddd\qnqjuah.exe start
1⤵
- Executes dropped EXE
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3088 -ip 3088
1⤵
PID:1940

C:\ProgramData\codnddd\qnqjuah.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
C:\ProgramData\codnddd\qnqjuah.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
memory/3088-130-0x00000000007E9000-0x00000000007F2000-memory.dmp

Filesize
36KB

Download
memory/3088-132-0x00000000007C0000-0x00000000007C9000-memory.dmp

Filesize
36KB

Download
memory/3088-131-0x00000000007E9000-0x00000000007F2000-memory.dmp

Filesize
36KB

Download
memory/3088-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3180-136-0x0000000000765000-0x000000000076E000-memory.dmp

Filesize
36KB

Download
memory/3180-137-0x0000000000765000-0x000000000076E000-memory.dmp

Filesize
36KB

Download
memory/3180-138-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/3180-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download