systembc | bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25

General

Target

bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe
Size

243KB
MD5

15f32b4f39a69e327b285b6cd2dd2cb9
SHA1

49ca0b152b2001febfe89d4ff2bea2f989a9a819
SHA256

bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25
SHA512

301893a9827946bd478255cc9cbc054c21a422e76bad3f0ded321d264ff14947e1736dd66cedc236a9d82afcd0c2f0c40f5a91d57266ee49acdc6acd14767f84

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

bmab.exe

pid process

4744 bmab.exe

pid	process
4744	bmab.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\xgku\bmab.exe	upx
C:\ProgramData\xgku\bmab.exe	upx

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
29 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
28	api.ipify.org
29	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\bmab.job	bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe
File created	C:\Windows\Tasks\bmab.job	bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

396 1224 WerFault.exe bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

pid	pid_target	process	target process
396	1224	WerFault.exe	bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

pid	process
1224	bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe
1224	bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe

C:\Users\Admin\AppData\Local\Temp\bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe
"C:\Users\Admin\AppData\Local\Temp\bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 972
  2⤵
  - Program crash
  PID:396

C:\ProgramData\xgku\bmab.exe
C:\ProgramData\xgku\bmab.exe start
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1224 -ip 1224
1⤵
PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xgku\bmab.exe

MD5
15f32b4f39a69e327b285b6cd2dd2cb9

SHA1
49ca0b152b2001febfe89d4ff2bea2f989a9a819

SHA256
bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25

SHA512
301893a9827946bd478255cc9cbc054c21a422e76bad3f0ded321d264ff14947e1736dd66cedc236a9d82afcd0c2f0c40f5a91d57266ee49acdc6acd14767f84

Download Submit
C:\ProgramData\xgku\bmab.exe

MD5
15f32b4f39a69e327b285b6cd2dd2cb9

SHA1
49ca0b152b2001febfe89d4ff2bea2f989a9a819

SHA256
bac4b948f4a8cb9c61c6167c7aa814affe670e527190aacf4f31eace55236d25

SHA512
301893a9827946bd478255cc9cbc054c21a422e76bad3f0ded321d264ff14947e1736dd66cedc236a9d82afcd0c2f0c40f5a91d57266ee49acdc6acd14767f84

Download Submit
memory/1224-130-0x0000000005382000-0x0000000005389000-memory.dmp

Filesize
28KB

Download
memory/1224-131-0x0000000005382000-0x0000000005389000-memory.dmp

Filesize
28KB

Download
memory/1224-132-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1224-133-0x0000000000400000-0x000000000516B000-memory.dmp

Filesize
77.4MB

Download
memory/4744-136-0x00000000054FD000-0x0000000005504000-memory.dmp

Filesize
28KB

Download
memory/4744-137-0x00000000054FD000-0x0000000005504000-memory.dmp

Filesize
28KB

Download
memory/4744-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4744-139-0x0000000000400000-0x000000000516B000-memory.dmp

Filesize
77.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads