systembc | 6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

Analysis

max time kernel
163s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
25-03-2022 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
Size

276KB
MD5

822285256eafa07724fd29f8e85c759e
SHA1

5da5dc2c1be087ce6046f6903a6c773b28a3b6cf
SHA256

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42
SHA512

4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ggujud.exe

pid process

4208 ggujud.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

60 api.ipify.org
61 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4208	ggujud.exe

flow	ioc
60	api.ipify.org
61	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

description	ioc	process
File created	C:\Windows\Tasks\ggujud.job	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
File opened for modification	C:\Windows\Tasks\ggujud.job	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

pid	process
2648	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
2648	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

C:\Users\Admin\AppData\Local\Temp\6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
"C:\Users\Admin\AppData\Local\Temp\6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\ProgramData\vhrfoc\ggujud.exe
C:\ProgramData\vhrfoc\ggujud.exe start
1⤵
- Executes dropped EXE
PID:4208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vhrfoc\ggujud.exe
MD5
822285256eafa07724fd29f8e85c759e

SHA1
5da5dc2c1be087ce6046f6903a6c773b28a3b6cf

SHA256
6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

SHA512
4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Download Submit
C:\ProgramData\vhrfoc\ggujud.exe
MD5
822285256eafa07724fd29f8e85c759e

SHA1
5da5dc2c1be087ce6046f6903a6c773b28a3b6cf

SHA256
6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

SHA512
4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Download Submit
memory/2648-134-0x0000000004790000-0x0000000004796000-memory.dmp

Filesize
24KB

Download
memory/2648-135-0x00000000047A0000-0x00000000047A9000-memory.dmp

Filesize
36KB

Download
memory/2648-136-0x0000000000400000-0x00000000046C4000-memory.dmp

Filesize
66.8MB

Download
memory/4208-140-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/4208-139-0x0000000004810000-0x0000000004816000-memory.dmp

Filesize
24KB

Download
memory/4208-141-0x0000000000400000-0x00000000046C4000-memory.dmp

Filesize
66.8MB

Download