systembc | 89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565

General

Target

89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe
Size

285KB
MD5

ff4d95122ba0a03ff9b3f5b367f96b35
SHA1

131e0b509ef92ba9ab6eeebd1e1571bbbe6a1cf2
SHA256

89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565
SHA512

215285c7c8d8d77be59469c28a31ef1e1536867e3a24e2470b7acb34253f5f555ca2230c1f78fd16da68fad7e587edbac47b8d2588ffde0513a506dce3fe1cfb

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

dmssq.exe

pid process

1632 dmssq.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1632	dmssq.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe

description	ioc	process
File created	C:\Windows\Tasks\dmssq.job	89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe
File opened for modification	C:\Windows\Tasks\dmssq.job	89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe

pid process

960 89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe

pid	process
960	89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1764 wrote to memory of 1632	1764	taskeng.exe	dmssq.exe
PID 1764 wrote to memory of 1632	1764	taskeng.exe	dmssq.exe
PID 1764 wrote to memory of 1632	1764	taskeng.exe	dmssq.exe
PID 1764 wrote to memory of 1632	1764	taskeng.exe	dmssq.exe

C:\Users\Admin\AppData\Local\Temp\89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe
"C:\Users\Admin\AppData\Local\Temp\89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:960

C:\Windows\system32\taskeng.exe
taskeng.exe {7AE4EFDD-3A6F-45AC-A18B-DEF1C58E3CDB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1764
- C:\ProgramData\bslxe\dmssq.exe
  C:\ProgramData\bslxe\dmssq.exe start
  2⤵
  - Executes dropped EXE
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bslxe\dmssq.exe

MD5
ff4d95122ba0a03ff9b3f5b367f96b35

SHA1
131e0b509ef92ba9ab6eeebd1e1571bbbe6a1cf2

SHA256
89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565

SHA512
215285c7c8d8d77be59469c28a31ef1e1536867e3a24e2470b7acb34253f5f555ca2230c1f78fd16da68fad7e587edbac47b8d2588ffde0513a506dce3fe1cfb

Download Submit
C:\ProgramData\bslxe\dmssq.exe

MD5
ff4d95122ba0a03ff9b3f5b367f96b35

SHA1
131e0b509ef92ba9ab6eeebd1e1571bbbe6a1cf2

SHA256
89fe7c1bbb477cee16d340a65fe5199f1a56199bec22dd8af394aac88dd63565

SHA512
215285c7c8d8d77be59469c28a31ef1e1536867e3a24e2470b7acb34253f5f555ca2230c1f78fd16da68fad7e587edbac47b8d2588ffde0513a506dce3fe1cfb

Download Submit
memory/960-54-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/960-56-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/960-57-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download
memory/1632-59-0x0000000000000000-mapping.dmp

Download
memory/1632-62-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing