systembc | 560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4

General

Target

560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe
Size

236KB
MD5

d46ff000567e8cda8a81e09fa882da58
SHA1

6323b999e83ff3e50d8494253dddb146e264d8e0
SHA256

560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4
SHA512

78a481765a23f18c8ee5cc0da324d82c8d5309e8dc06ea531adc5f7ddaa04b0d2e671079b6c7a89c11de1cf64bb0ade87f4c68c1e0a4051e77ea0c06e3523035

Score

10^/10

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

rqdvsg.exe

pid process

4608 rqdvsg.exe

pid	process
4608	rqdvsg.exe

Drops file in Windows directory 3 IoCs

Processes:

560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exerqdvsg.exe

description	ioc	process
File created	C:\Windows\Tasks\rqdvsg.job	560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe
File opened for modification	C:\Windows\Tasks\rqdvsg.job	560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe
File created	C:\Windows\Tasks\pmmbipxfnsdjrxhnvdl.job	rqdvsg.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4100 1596 WerFault.exe 560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe

pid	pid_target	process	target process
4100	1596	WerFault.exe	560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe

pid	process
1596	560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe
1596	560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4.exe

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 488
2⤵
- Program crash
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1596 -ip 1596
1⤵
PID:4000

C:\ProgramData\oupu\rqdvsg.exe
MD5
d46ff000567e8cda8a81e09fa882da58

SHA1
6323b999e83ff3e50d8494253dddb146e264d8e0

SHA256
560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4

SHA512
78a481765a23f18c8ee5cc0da324d82c8d5309e8dc06ea531adc5f7ddaa04b0d2e671079b6c7a89c11de1cf64bb0ade87f4c68c1e0a4051e77ea0c06e3523035

Download Submit
C:\ProgramData\oupu\rqdvsg.exe
MD5
d46ff000567e8cda8a81e09fa882da58

SHA1
6323b999e83ff3e50d8494253dddb146e264d8e0

SHA256
560a030033d67b71fb8fa8877ed8f010e6a09fe2f48bc599938be6feac66a6a4

SHA512
78a481765a23f18c8ee5cc0da324d82c8d5309e8dc06ea531adc5f7ddaa04b0d2e671079b6c7a89c11de1cf64bb0ade87f4c68c1e0a4051e77ea0c06e3523035

Download Submit
memory/1596-130-0x00000000004F1000-0x00000000004FA000-memory.dmp

Filesize
36KB

Download
memory/1596-131-0x00000000004F1000-0x00000000004FA000-memory.dmp

Filesize
36KB

Download
memory/1596-132-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/1596-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4608-136-0x000000000065D000-0x0000000000666000-memory.dmp

Filesize
36KB

Download
memory/4608-137-0x000000000065D000-0x0000000000666000-memory.dmp

Filesize
36KB

Download
memory/4608-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download