systembc | 26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

General

Target

26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
Size

233KB
MD5

46b2756fe95bbb5020b18f97392e2132
SHA1

2ea2c500bde740012c5f7623107edff40ae9c60f
SHA256

26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073
SHA512

4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fmdkgd.exeqhbt.exejaxv.exe

pid process

2324 fmdkgd.exe
3948 qhbt.exe
3968 jaxv.exe

pid	process
2324	fmdkgd.exe
3948	qhbt.exe
3968	jaxv.exe

Drops file in Windows directory 5 IoCs

Processes:

26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exefmdkgd.exeqhbt.exe

description	ioc	process
File created	C:\Windows\Tasks\fmdkgd.job	26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
File opened for modification	C:\Windows\Tasks\fmdkgd.job	26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
File created	C:\Windows\Tasks\tgcbglmlwhisseeeoaa.job	fmdkgd.exe
File created	C:\Windows\Tasks\jaxv.job	qhbt.exe
File opened for modification	C:\Windows\Tasks\jaxv.job	qhbt.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exeqhbt.exe

pid	process
3596	26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
3596	26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
3948	qhbt.exe
3948	qhbt.exe

C:\Users\Admin\AppData\Local\Temp\26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe
"C:\Users\Admin\AppData\Local\Temp\26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3596

C:\ProgramData\lfmn\fmdkgd.exe
C:\ProgramData\lfmn\fmdkgd.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324

C:\Windows\TEMP\qhbt.exe
C:\Windows\TEMP\qhbt.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\ProgramData\ntehvb\jaxv.exe
C:\ProgramData\ntehvb\jaxv.exe start
1⤵
- Executes dropped EXE
PID:3968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lfmn\fmdkgd.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
C:\ProgramData\lfmn\fmdkgd.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
C:\ProgramData\ntehvb\jaxv.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
C:\ProgramData\ntehvb\jaxv.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
C:\Windows\TEMP\qhbt.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
C:\Windows\Tasks\fmdkgd.job

MD5
5dadf141e449e8e7443d6575ca8497ce

SHA1
9ab15a3c005aaa8f90c12890c6ce313782935427

SHA256
35a5d2263289cc213b65eb7faf4c6a11d5f1156949ecb12a11e29eef2a4cdb65

SHA512
323e9aae142a1eddda6df7164c895382702ccf8eaac95691aaab5a7cecaea289e2b6dbda6b9e35217dc4ef80de1d309d367a89715a5d5209e0725ccbcff371c2

Download Submit
C:\Windows\Temp\qhbt.exe

MD5
46b2756fe95bbb5020b18f97392e2132

SHA1
2ea2c500bde740012c5f7623107edff40ae9c60f

SHA256
26babc0a6d078f137e389a7ea1c4a8a7110c495c053269d52a7936469df06073

SHA512
4bdf30aa2160707160ef30f1c9449ff7fd0d489b21d46812f2a3982d728364db48e9809ca31986f54d7add6b560c9447ad6d6c6dbaba0d4a1b65859b8827cacc

Download Submit
memory/2324-121-0x00000000006A7000-0x00000000006B0000-memory.dmp

Filesize
36KB

Download
memory/2324-122-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/2324-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2324-120-0x00000000006A7000-0x00000000006B0000-memory.dmp

Filesize
36KB

Download
memory/3596-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3596-115-0x0000000000530000-0x000000000067A000-memory.dmp

Filesize
1.3MB

Download
memory/3596-116-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3948-129-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3948-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3948-128-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3968-133-0x00000000006F7000-0x0000000000700000-memory.dmp

Filesize
36KB

Download
memory/3968-134-0x00000000006F7000-0x0000000000700000-memory.dmp

Filesize
36KB

Download
memory/3968-135-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3968-136-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing