systembc | 19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

General

Target

19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
Size

236KB
MD5

71d3275487576075d8f029b4cc4b3048
SHA1

24e33f38fac90c39bfd0891ba6c83b7689c274a6
SHA256

19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50
SHA512

7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

hxuebwi.exexouhviw.exeeqgukp.exe

pid process

4088 hxuebwi.exe
3200 xouhviw.exe
4508 eqgukp.exe

pid	process
4088	hxuebwi.exe
3200	xouhviw.exe
4508	eqgukp.exe

Drops file in Windows directory 5 IoCs

Processes:

xouhviw.exe19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exehxuebwi.exe

description	ioc	process
File created	C:\Windows\Tasks\eqgukp.job	xouhviw.exe
File opened for modification	C:\Windows\Tasks\eqgukp.job	xouhviw.exe
File created	C:\Windows\Tasks\hxuebwi.job	19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
File opened for modification	C:\Windows\Tasks\hxuebwi.job	19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
File created	C:\Windows\Tasks\aheoarqconcodcodpod.job	hxuebwi.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exexouhviw.exe

pid	process
3296	19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
3296	19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
3200	xouhviw.exe
3200	xouhviw.exe

C:\Users\Admin\AppData\Local\Temp\19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe
"C:\Users\Admin\AppData\Local\Temp\19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\ProgramData\beaj\hxuebwi.exe
C:\ProgramData\beaj\hxuebwi.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4088

C:\Windows\TEMP\xouhviw.exe
C:\Windows\TEMP\xouhviw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3200

C:\ProgramData\wcxcv\eqgukp.exe
C:\ProgramData\wcxcv\eqgukp.exe start
1⤵
- Executes dropped EXE
PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\beaj\hxuebwi.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
C:\ProgramData\beaj\hxuebwi.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
C:\ProgramData\wcxcv\eqgukp.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
C:\ProgramData\wcxcv\eqgukp.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
C:\Windows\TEMP\xouhviw.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
C:\Windows\Tasks\hxuebwi.job
MD5
6543ed0ca97e23ed17ffa1f757ff4592

SHA1
c08785ebfb6ddc0d82d4a17a1c34d66325f6fb09

SHA256
e1d2cbe4629b7ef616e4ce4c1fcade35bb239692a48527b52cc41990437d9ef0

SHA512
e7399be00da97087dc6a9c61c86413d96ac3cfe7d1a536f64c7daf64d93560a1bbf70e6c29357d7d7a2ba8b83e969166481d729a8fbf0178d9771698a9853111

Download Submit
C:\Windows\Temp\xouhviw.exe
MD5
71d3275487576075d8f029b4cc4b3048

SHA1
24e33f38fac90c39bfd0891ba6c83b7689c274a6

SHA256
19e195fa1ee00da266568f2fd5b980341e8e89112100054e86c4d114f5141b50

SHA512
7fbcff779cf97753256faef1d1aeaaddd16a30d21ce4afa16355bfe10d748c2985f465c3ad38da2d3cca4cd504b0e5edd9a023a7a2dfdc54779b41649a9f3e6b

Download Submit
memory/3200-132-0x00000000005C0000-0x000000000070A000-memory.dmp

Filesize
1.3MB

Download
memory/3200-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3296-119-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3296-121-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3296-120-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/4088-127-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4088-126-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/4088-125-0x0000000000707000-0x0000000000710000-memory.dmp

Filesize
36KB

Download
memory/4088-124-0x0000000000707000-0x0000000000710000-memory.dmp

Filesize
36KB

Download
memory/4508-136-0x0000000000758000-0x0000000000761000-memory.dmp

Filesize
36KB

Download
memory/4508-137-0x0000000000758000-0x0000000000761000-memory.dmp

Filesize
36KB

Download
memory/4508-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing