systembc | ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

General

Target

ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
Size

232KB
MD5

874639d9c6051cb16a8d3de676d9fbe9
SHA1

479076ff8d4f5d188282c38bef533c244f79715d
SHA256

ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf
SHA512

7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

dattseq.exejtibsme.exexqstef.exe

pid process

3980 dattseq.exe
3828 jtibsme.exe
3732 xqstef.exe

pid	process
3980	dattseq.exe
3828	jtibsme.exe
3732	xqstef.exe

Drops file in Windows directory 5 IoCs

Processes:

jtibsme.exeba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exedattseq.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\xqstef.job	jtibsme.exe
File created	C:\Windows\Tasks\dattseq.job	ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
File opened for modification	C:\Windows\Tasks\dattseq.job	ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
File created	C:\Windows\Tasks\kwldumbrkdtleunfvog.job	dattseq.exe
File created	C:\Windows\Tasks\xqstef.job	jtibsme.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exejtibsme.exe

pid	process
416	ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
416	ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
3828	jtibsme.exe
3828	jtibsme.exe

C:\Users\Admin\AppData\Local\Temp\ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe
"C:\Users\Admin\AppData\Local\Temp\ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\ProgramData\jdsvels\dattseq.exe
C:\ProgramData\jdsvels\dattseq.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3980

C:\Windows\TEMP\jtibsme.exe
C:\Windows\TEMP\jtibsme.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\ProgramData\ffmapd\xqstef.exe
C:\ProgramData\ffmapd\xqstef.exe start
1⤵
- Executes dropped EXE
PID:3732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ffmapd\xqstef.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
C:\ProgramData\ffmapd\xqstef.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
C:\ProgramData\jdsvels\dattseq.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
C:\ProgramData\jdsvels\dattseq.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
C:\Windows\TEMP\jtibsme.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
C:\Windows\Tasks\dattseq.job
MD5
1ca80e14a11205ea57c1a5743275411b

SHA1
d198679b18b07369e7ecf1097a56c09b47c8583b

SHA256
a3d74f84a0643f48a5ca19a6f2e47bec8b33905f8237e84b4b1bdb2bb444c239

SHA512
a8b82663dd5385553b2e24c68bea6693984c4dca0670c5251a94f349381580c4e1489672f85787546358e52a007552b94a19b05ff87e410f0738db006a3fe1ba

Download Submit
C:\Windows\Temp\jtibsme.exe
MD5
874639d9c6051cb16a8d3de676d9fbe9

SHA1
479076ff8d4f5d188282c38bef533c244f79715d

SHA256
ba52ca97ab871363374b04bb6330e4bf7591fcd22b9e0db4a7deafec8f1421bf

SHA512
7db9256c707a3a6c92694c0afdee74c30044d5942203b402d3b28bb2dff3fc2f6d8b6df8ec94a2329695f633053fae90cb28bcf21432b0e6c547f5fac16706a3

Download Submit
memory/416-115-0x000000000063D000-0x0000000000646000-memory.dmp

Filesize
36KB

Download
memory/416-114-0x000000000063D000-0x0000000000646000-memory.dmp

Filesize
36KB

Download
memory/416-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/416-116-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/3732-132-0x00000000006F7000-0x0000000000700000-memory.dmp

Filesize
36KB

Download
memory/3732-133-0x00000000006F7000-0x0000000000700000-memory.dmp

Filesize
36KB

Download
memory/3732-134-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3732-135-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3828-127-0x0000000000729000-0x0000000000732000-memory.dmp

Filesize
36KB

Download
memory/3828-128-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3828-129-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3828-125-0x0000000000729000-0x0000000000732000-memory.dmp

Filesize
36KB

Download
memory/3980-121-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/3980-122-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing