systembc | 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

General

Target

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
Size

284KB
MD5

7f1fec40c35280a72c4863430821e0b5
SHA1

6bc22f20dd9a338224db71dc8856587c48376190
SHA256

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e
SHA512

681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qqwgkei.exe

pid process

1776 qqwgkei.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1776	qqwgkei.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

description	ioc	process
File created	C:\Windows\Tasks\qqwgkei.job	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
File opened for modification	C:\Windows\Tasks\qqwgkei.job	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

pid process

1636 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

pid	process
1636	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 792 wrote to memory of 1776	792	taskeng.exe	qqwgkei.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	qqwgkei.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	qqwgkei.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	qqwgkei.exe

C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
"C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\system32\taskeng.exe
taskeng.exe {03ACC417-A1DC-4E68-B783-9198805F0548} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\ProgramData\kregact\qqwgkei.exe
C:\ProgramData\kregact\qqwgkei.exe start
2⤵
- Executes dropped EXE
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kregact\qqwgkei.exe
MD5
7f1fec40c35280a72c4863430821e0b5

SHA1
6bc22f20dd9a338224db71dc8856587c48376190

SHA256
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

SHA512
681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Download Submit
C:\ProgramData\kregact\qqwgkei.exe
MD5
7f1fec40c35280a72c4863430821e0b5

SHA1
6bc22f20dd9a338224db71dc8856587c48376190

SHA256
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

SHA512
681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Download Submit
memory/1636-54-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1636-55-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1636-56-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1636-57-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download
memory/1776-59-0x0000000000000000-mapping.dmp

Download
memory/1776-62-0x0000000000370000-0x0000000000379000-memory.dmp

Filesize
36KB

Download
memory/1776-63-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing