systembc | ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

General

Target

ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
Size

232KB
MD5

ac6bf90306045544b1a7ff716e8b8e3c
SHA1

65f56045aae93ab3c0e60d9f57fb8d2ca4e51476
SHA256

ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa
SHA512

2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jlqb.exeeofaq.exextef.exe

pid process

4188 jlqb.exe
3332 eofaq.exe
2292 xtef.exe

pid	process
4188	jlqb.exe
3332	eofaq.exe
2292	xtef.exe

Drops file in Windows directory 5 IoCs

Processes:

ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exejlqb.exeeofaq.exe

description	ioc	process
File created	C:\Windows\Tasks\jlqb.job	ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
File opened for modification	C:\Windows\Tasks\jlqb.job	ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
File created	C:\Windows\Tasks\urfsrlodgtwlkdgtwlo.job	jlqb.exe
File created	C:\Windows\Tasks\xtef.job	eofaq.exe
File opened for modification	C:\Windows\Tasks\xtef.job	eofaq.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3084 3056 WerFault.exe ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe

pid	pid_target	process	target process
3084	3056	WerFault.exe	ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exeeofaq.exe

pid	process
3056	ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
3056	ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
3332	eofaq.exe
3332	eofaq.exe

C:\Users\Admin\AppData\Local\Temp\ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe
"C:\Users\Admin\AppData\Local\Temp\ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 484
2⤵
- Program crash
PID:3084

C:\ProgramData\mgbmam\jlqb.exe
C:\ProgramData\mgbmam\jlqb.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3056 -ip 3056
1⤵
PID:2692

C:\Windows\TEMP\eofaq.exe
C:\Windows\TEMP\eofaq.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\ProgramData\onebrt\xtef.exe
C:\ProgramData\onebrt\xtef.exe start
1⤵
- Executes dropped EXE
PID:2292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mgbmam\jlqb.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
C:\ProgramData\mgbmam\jlqb.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
C:\ProgramData\onebrt\xtef.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
C:\ProgramData\onebrt\xtef.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
C:\Windows\TEMP\eofaq.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
C:\Windows\Tasks\jlqb.job
MD5
8b1621e9d718b6c968e27889dc123c30

SHA1
4820bbf38cb99534e61abd4aef890c83b8c7bcfa

SHA256
44f3026bc964f4687b55fdc8280a986ac06d7569fd058d1e22ef7c1d84e9ec47

SHA512
95fc416d0332456a42b37d0efeb75e35dc5f092e585ac31451722be8704947ea1b12e05dc38d717843824fc15f9fb15bee8967e39d54448421a941785416d5a7

Download Submit
C:\Windows\Temp\eofaq.exe
MD5
ac6bf90306045544b1a7ff716e8b8e3c

SHA1
65f56045aae93ab3c0e60d9f57fb8d2ca4e51476

SHA256
ba520856ae086161d5125754b5d052f1ecdcb71f628691e4d957111f2adc8cfa

SHA512
2d19d20e7f7e710cdc749caa89860e12e1fe48c53b3e04d102be6741c0c8de19db3581516c2c6cb192ba72817b6f680c6072dc1d29ea61b22dc8522306e80ba5

Download Submit
memory/2292-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2292-148-0x0000000000495000-0x000000000049E000-memory.dmp

Filesize
36KB

Download
memory/2292-147-0x0000000000495000-0x000000000049E000-memory.dmp

Filesize
36KB

Download
memory/3056-130-0x0000000000509000-0x0000000000512000-memory.dmp

Filesize
36KB

Download
memory/3056-132-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/3056-131-0x0000000000509000-0x0000000000512000-memory.dmp

Filesize
36KB

Download
memory/3056-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3332-141-0x0000000000675000-0x000000000067E000-memory.dmp

Filesize
36KB

Download
memory/3332-144-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3332-143-0x0000000000675000-0x000000000067E000-memory.dmp

Filesize
36KB

Download
memory/4188-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4188-137-0x0000000000715000-0x000000000071E000-memory.dmp

Filesize
36KB

Download
memory/4188-136-0x0000000000715000-0x000000000071E000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing