systembc | f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

General

Target

f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
Size

236KB
MD5

e126cf941fd76348fadb6893b8c7d980
SHA1

d2b408c77bfda79d853259b6d50566ddfd7211fe
SHA256

f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df
SHA512

bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

khtmhbm.exevlnit.exeonjfau.exe

pid process

2480 khtmhbm.exe
592 vlnit.exe
1244 onjfau.exe

pid	process
2480	khtmhbm.exe
592	vlnit.exe
1244	onjfau.exe

Drops file in Windows directory 5 IoCs

Processes:

vlnit.exef151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exekhtmhbm.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\onjfau.job	vlnit.exe
File created	C:\Windows\Tasks\khtmhbm.job	f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
File opened for modification	C:\Windows\Tasks\khtmhbm.job	f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
File created	C:\Windows\Tasks\voiepgdninvclpafosd.job	khtmhbm.exe
File created	C:\Windows\Tasks\onjfau.job	vlnit.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exevlnit.exe

pid	process
2228	f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
2228	f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
592	vlnit.exe
592	vlnit.exe

C:\Users\Admin\AppData\Local\Temp\f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe
"C:\Users\Admin\AppData\Local\Temp\f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\ProgramData\ewrcpub\khtmhbm.exe
C:\ProgramData\ewrcpub\khtmhbm.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2480

C:\Windows\TEMP\vlnit.exe
C:\Windows\TEMP\vlnit.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:592

C:\ProgramData\jhodq\onjfau.exe
C:\ProgramData\jhodq\onjfau.exe start
1⤵
- Executes dropped EXE
PID:1244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ewrcpub\khtmhbm.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
C:\ProgramData\ewrcpub\khtmhbm.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
C:\ProgramData\jhodq\onjfau.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
C:\ProgramData\jhodq\onjfau.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
C:\Windows\TEMP\vlnit.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
C:\Windows\Tasks\khtmhbm.job

MD5
85f4120435b85fae1d588b6e2deb3a17

SHA1
2dbde36aaa3bebf02fe632cd5bd1e9d6780e5de4

SHA256
aeded3fc61d2ee168bc29b2c85a1b69477ad419d5ce3ca0952464ba11fb823c5

SHA512
2c7a6e9e6bbb1ddd8243df8e32c9efd7092d1b0e7a4c9b567ac7cc94ccc47703b5bd8de0adf08b7786aa4bcfb10b14d01ca046d56d3c809ff6c6c1db961dc45a

Download Submit
C:\Windows\Temp\vlnit.exe

MD5
e126cf941fd76348fadb6893b8c7d980

SHA1
d2b408c77bfda79d853259b6d50566ddfd7211fe

SHA256
f151c634a6e355148da4d7bb69089a190ea20b18703f86159a9745d8dd8d37df

SHA512
bbc274582d11533e777703d816ff899cf19cbb677d36039cdbf7ea567ea5db0e95ee99e0bc15ebaf8b4d7d379344affebb0af658be89f965474bb17413e40899

Download Submit
memory/592-132-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/592-134-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/592-133-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/1244-139-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1244-138-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/2228-118-0x000000000072D000-0x0000000000736000-memory.dmp

Filesize
36KB

Download
memory/2228-121-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2228-120-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/2228-119-0x000000000072D000-0x0000000000736000-memory.dmp

Filesize
36KB

Download
memory/2480-124-0x0000000000727000-0x0000000000730000-memory.dmp

Filesize
36KB

Download
memory/2480-125-0x0000000000727000-0x0000000000730000-memory.dmp

Filesize
36KB

Download
memory/2480-127-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2480-126-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing