systembc | bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd

General

Target

bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe
Size

234KB
MD5

f36c144d3572825d5a4bbe01fc6b2e5f
SHA1

13c0276832e96446fc927cf77b057194a7326cc6
SHA256

bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd
SHA512

666346ee29abf0caa8314226c421a2ca358d8239ecc59c8e7b5ebe8fdeb2ccb0fab39f528c5bd0042d47dfcf2061e99c36363b10ef905e48f4ad129574ca7181

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

cgekq.exe

pid process

2444 cgekq.exe

pid	process
2444	cgekq.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\pbvvca\cgekq.exe	upx
C:\ProgramData\pbvvca\cgekq.exe	upx

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 api.ipify.org
39 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
40	api.ipify.org
39	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

description	ioc	process
File created	C:\Windows\Tasks\cgekq.job	bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe
File opened for modification	C:\Windows\Tasks\cgekq.job	bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3740 2692 WerFault.exe bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

pid	pid_target	process	target process
3740	2692	WerFault.exe	bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

pid	process
2692	bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe
2692	bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe

C:\Users\Admin\AppData\Local\Temp\bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe
"C:\Users\Admin\AppData\Local\Temp\bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 952
2⤵
- Program crash
PID:3740

C:\ProgramData\pbvvca\cgekq.exe
C:\ProgramData\pbvvca\cgekq.exe start
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2692 -ip 2692
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pbvvca\cgekq.exe
MD5
f36c144d3572825d5a4bbe01fc6b2e5f

SHA1
13c0276832e96446fc927cf77b057194a7326cc6

SHA256
bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd

SHA512
666346ee29abf0caa8314226c421a2ca358d8239ecc59c8e7b5ebe8fdeb2ccb0fab39f528c5bd0042d47dfcf2061e99c36363b10ef905e48f4ad129574ca7181

Download Submit
C:\ProgramData\pbvvca\cgekq.exe
MD5
f36c144d3572825d5a4bbe01fc6b2e5f

SHA1
13c0276832e96446fc927cf77b057194a7326cc6

SHA256
bbd8d78a0c241948acda56a12e92efcbeaff2b89443c33135113ccd508e646bd

SHA512
666346ee29abf0caa8314226c421a2ca358d8239ecc59c8e7b5ebe8fdeb2ccb0fab39f528c5bd0042d47dfcf2061e99c36363b10ef905e48f4ad129574ca7181

Download Submit
memory/2444-140-0x00000000052DD000-0x00000000052E4000-memory.dmp

Filesize
28KB

Download
memory/2444-142-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2444-141-0x00000000052DD000-0x00000000052E4000-memory.dmp

Filesize
28KB

Download
memory/2444-143-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download
memory/2692-134-0x0000000005332000-0x0000000005339000-memory.dmp

Filesize
28KB

Download
memory/2692-135-0x0000000005332000-0x0000000005339000-memory.dmp

Filesize
28KB

Download
memory/2692-136-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2692-137-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads