systembc | 822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

General

Target

822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
Size

231KB
MD5

b39f87eaf56ac77a323a30c70cfd5f06
SHA1

5fd9f5f8c3999b217e04644235212f6a980a8a4c
SHA256

822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad
SHA512

5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

tmolab.exeiotggd.exewrjwfl.exe

pid process

3440 tmolab.exe
2104 iotggd.exe
3892 wrjwfl.exe

pid	process
3440	tmolab.exe
2104	iotggd.exe
3892	wrjwfl.exe

Drops file in Windows directory 5 IoCs

Processes:

iotggd.exe822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exetmolab.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wrjwfl.job	iotggd.exe
File created	C:\Windows\Tasks\tmolab.job	822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
File opened for modification	C:\Windows\Tasks\tmolab.job	822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
File created	C:\Windows\Tasks\ioajatkguqqcqmcwmiw.job	tmolab.exe
File created	C:\Windows\Tasks\wrjwfl.job	iotggd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exeiotggd.exe

pid	process
3456	822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
3456	822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
2104	iotggd.exe
2104	iotggd.exe

C:\Users\Admin\AppData\Local\Temp\822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe
"C:\Users\Admin\AppData\Local\Temp\822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3456

C:\ProgramData\fbkljj\tmolab.exe
C:\ProgramData\fbkljj\tmolab.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3440

C:\Windows\TEMP\iotggd.exe
C:\Windows\TEMP\iotggd.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\ProgramData\omfmcd\wrjwfl.exe
C:\ProgramData\omfmcd\wrjwfl.exe start
1⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fbkljj\tmolab.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
C:\ProgramData\fbkljj\tmolab.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
C:\ProgramData\omfmcd\wrjwfl.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
C:\ProgramData\omfmcd\wrjwfl.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
C:\Windows\TEMP\iotggd.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
C:\Windows\Tasks\tmolab.job
MD5
f94aeda9ad75837021bad4e2e8708770

SHA1
cdb03a10eea4dad68c9889cf7097d10be7e86dff

SHA256
d515ffe9e3d134fc92931c6f77ff642a11f5db41aa5ffd4e80a940701b35741c

SHA512
f2b43bf68310176751fa704627ccd9a01e3031c5f1e1eee49af1b65102cc3357069c16406ccfdbb54ade8dc8d7f4fa56bdddf0c49446cb1b02509c9e112da74e

Download Submit
C:\Windows\Temp\iotggd.exe
MD5
b39f87eaf56ac77a323a30c70cfd5f06

SHA1
5fd9f5f8c3999b217e04644235212f6a980a8a4c

SHA256
822751ee99cf620d862fe002c367b6dbea0c2f30220a1aca05e641d11ee173ad

SHA512
5d6385dabaeefdd3c3be1f638fd48437adab97892767e9de76f20c5711be188923a5bc498fabd01d086cbc77f2a019ac81816f1f44e290b18a37c3fadc660489

Download Submit
memory/2104-128-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/2104-129-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/2104-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3440-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3440-122-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/3440-121-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/3456-115-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3456-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3456-116-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/3892-134-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/3892-135-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3892-136-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing