systembc | f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

General

Target

f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe
Size

232KB
MD5

2c8563b5b272972a73a03ec077fc7b81
SHA1

a2e6faa70c701789c3413dff7ba6456f03a7ec1a
SHA256

f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55
SHA512

33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

kofo.exepmef.exeosrd.exe

pid process

2660 kofo.exe
3512 pmef.exe
860 osrd.exe

pid	process
2660	kofo.exe
3512	pmef.exe
860	osrd.exe

Drops file in Windows directory 5 IoCs

Processes:

f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exekofo.exepmef.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\kofo.job	f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe
File created	C:\Windows\Tasks\wqbfdvtusomhdbuqoje.job	kofo.exe
File created	C:\Windows\Tasks\osrd.job	pmef.exe
File opened for modification	C:\Windows\Tasks\osrd.job	pmef.exe
File created	C:\Windows\Tasks\kofo.job	f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exepmef.exe

pid	process
4016	f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe
4016	f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe
3512	pmef.exe
3512	pmef.exe

C:\Users\Admin\AppData\Local\Temp\f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe
"C:\Users\Admin\AppData\Local\Temp\f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\ProgramData\pqntbu\kofo.exe
C:\ProgramData\pqntbu\kofo.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660

C:\Windows\TEMP\pmef.exe
C:\Windows\TEMP\pmef.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\ProgramData\nrtetbg\osrd.exe
C:\ProgramData\nrtetbg\osrd.exe start
1⤵
- Executes dropped EXE
PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nrtetbg\osrd.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
C:\ProgramData\nrtetbg\osrd.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
C:\ProgramData\pqntbu\kofo.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
C:\ProgramData\pqntbu\kofo.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
C:\Windows\TEMP\pmef.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
C:\Windows\Tasks\kofo.job
MD5
db1aabe4e0b88bf4567a97172c2ba80f

SHA1
e05ac50db1a74b78d659af2b0b5c16ee0155d374

SHA256
f4cfc74554b77dd5a7075e0ddd2f2abcacfe45631621f8507d6c85baa827bb82

SHA512
796875bf5a61015c74dc0fb3a480e4674615674e07563156c3b507d1464f0c599c4c6473a67e69876dbb98e224434f1d66b22aaeacb2ac3cd0ce58e9ba67c422

Download Submit
C:\Windows\Temp\pmef.exe
MD5
2c8563b5b272972a73a03ec077fc7b81

SHA1
a2e6faa70c701789c3413dff7ba6456f03a7ec1a

SHA256
f19acc5921ede6163dd6394d2d749aa3c73176e731c23605648a3d76f12f6e55

SHA512
33546ef3c4d63722bf954c24fc4fd5aa0f7cf408736dd03df43b4a8629f8a68e5058d2cb3921e6426fa96997a3be96097520cf37842fb34bb0bffb0f0ed044d2

Download Submit
memory/860-140-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/860-139-0x0000000000D00000-0x0000000000D09000-memory.dmp

Filesize
36KB

Download
memory/860-138-0x00000000004C0000-0x000000000056E000-memory.dmp

Filesize
696KB

Download
memory/2660-125-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/2660-127-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2660-126-0x0000000000550000-0x000000000069A000-memory.dmp

Filesize
1.3MB

Download
memory/3512-130-0x0000000000752000-0x000000000075B000-memory.dmp

Filesize
36KB

Download
memory/3512-132-0x0000000000752000-0x000000000075B000-memory.dmp

Filesize
36KB

Download
memory/3512-133-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3512-134-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4016-119-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/4016-121-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4016-120-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing