systembc | bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

General

Target

572eb88ef3e508c0556d55b4e7f649bd.exe
Size

237KB
MD5

572eb88ef3e508c0556d55b4e7f649bd
SHA1

a2251c07ea52e9886be15835d45eac41c24af78d
SHA256

bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
SHA512

8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Score

10^/10

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

wueled.exe

pid process

1076 wueled.exe

pid	process
1076	wueled.exe

Drops file in Windows directory 3 IoCs

Processes:

572eb88ef3e508c0556d55b4e7f649bd.exewueled.exe

description	ioc	process
File created	C:\Windows\Tasks\wueled.job	572eb88ef3e508c0556d55b4e7f649bd.exe
File opened for modification	C:\Windows\Tasks\wueled.job	572eb88ef3e508c0556d55b4e7f649bd.exe
File created	C:\Windows\Tasks\igjuwprdfhitvxkmnpc.job	wueled.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2636 2956 WerFault.exe 572eb88ef3e508c0556d55b4e7f649bd.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

572eb88ef3e508c0556d55b4e7f649bd.exe

pid process

2956 572eb88ef3e508c0556d55b4e7f649bd.exe
2956 572eb88ef3e508c0556d55b4e7f649bd.exe

pid	pid_target	process	target process
2636	2956	WerFault.exe	572eb88ef3e508c0556d55b4e7f649bd.exe

pid	process
2956	572eb88ef3e508c0556d55b4e7f649bd.exe
2956	572eb88ef3e508c0556d55b4e7f649bd.exe

C:\Users\Admin\AppData\Local\Temp\572eb88ef3e508c0556d55b4e7f649bd.exe
"C:\Users\Admin\AppData\Local\Temp\572eb88ef3e508c0556d55b4e7f649bd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 488
  2⤵
  - Program crash
  PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2956 -ip 2956
1⤵
PID:4276

C:\ProgramData\eolwu\wueled.exe

MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\eolwu\wueled.exe

MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
memory/1076-140-0x00000000006AA000-0x00000000006B3000-memory.dmp

Filesize
36KB

Download
memory/1076-141-0x00000000006AA000-0x00000000006B3000-memory.dmp

Filesize
36KB

Download
memory/1076-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1076-142-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/2956-134-0x000000000083E000-0x0000000000847000-memory.dmp

Filesize
36KB

Download
memory/2956-135-0x000000000083E000-0x0000000000847000-memory.dmp

Filesize
36KB

Download
memory/2956-136-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/2956-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download