systembc | f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

General

Target

f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
Size

231KB
MD5

b4f198027150f53a087ef4b179de0794
SHA1

d3622afda0f3ed03e82e13a844b4ad0df595713e
SHA256

f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c
SHA512

df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

acamlg.exeqbtm.exejlgs.exe

pid process

3928 acamlg.exe
972 qbtm.exe
3688 jlgs.exe

pid	process
3928	acamlg.exe
972	qbtm.exe
3688	jlgs.exe

Drops file in Windows directory 5 IoCs

Processes:

f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exeacamlg.exeqbtm.exe

description	ioc	process
File created	C:\Windows\Tasks\acamlg.job	f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
File opened for modification	C:\Windows\Tasks\acamlg.job	f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
File created	C:\Windows\Tasks\fqeunfwphaqjbskdtme.job	acamlg.exe
File created	C:\Windows\Tasks\jlgs.job	qbtm.exe
File opened for modification	C:\Windows\Tasks\jlgs.job	qbtm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exeqbtm.exe

pid	process
2372	f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
2372	f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
972	qbtm.exe
972	qbtm.exe

C:\Users\Admin\AppData\Local\Temp\f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe
"C:\Users\Admin\AppData\Local\Temp\f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\ProgramData\vdripf\acamlg.exe
C:\ProgramData\vdripf\acamlg.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3928

C:\Windows\TEMP\qbtm.exe
C:\Windows\TEMP\qbtm.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\ProgramData\akgw\jlgs.exe
C:\ProgramData\akgw\jlgs.exe start
1⤵
- Executes dropped EXE
PID:3688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\akgw\jlgs.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
C:\ProgramData\akgw\jlgs.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
C:\ProgramData\vdripf\acamlg.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
C:\ProgramData\vdripf\acamlg.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
C:\Windows\TEMP\qbtm.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
C:\Windows\Tasks\acamlg.job
MD5
5735493dc4aae1ccfd5357b9659eb4f0

SHA1
018b731452c4cd99b053ba1fea66fd259d1ec026

SHA256
68313f39b3e7f32b3ccd6abd51cd80d94f46b910ff271580848e4c5d1913dcdf

SHA512
eae461c0b82ebfac7ebc075acbf33b3f0307fa347a2c20948a5b63a19f7f0c6a18377ef64e183cdb828af679d32939d6670b8997e243d819fad347a2003ebb22

Download Submit
C:\Windows\Temp\qbtm.exe
MD5
b4f198027150f53a087ef4b179de0794

SHA1
d3622afda0f3ed03e82e13a844b4ad0df595713e

SHA256
f9a9f80396a55b00101bc149f0cfd8285c458edff663918ab8fca4276cc11d5c

SHA512
df3c8ad2cf23b01b03e3e9d85360eb1824670621ab09f69db35e0cbc5734ae04154ac413141723825c1bc6adcee2ec881c0311125b0ec55496fb222fcffb1384

Download Submit
memory/972-128-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/972-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/972-129-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/2372-116-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/2372-115-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/2372-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3688-133-0x00000000007B2000-0x00000000007BB000-memory.dmp

Filesize
36KB

Download
memory/3688-134-0x00000000007B2000-0x00000000007BB000-memory.dmp

Filesize
36KB

Download
memory/3688-135-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3688-136-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-121-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3928-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3928-122-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing