systembc | 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

General

Target

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
Size

284KB
MD5

7f1fec40c35280a72c4863430821e0b5
SHA1

6bc22f20dd9a338224db71dc8856587c48376190
SHA256

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e
SHA512

681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

jsvlbp.exe

pid process

3400 jsvlbp.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 api.ipify.org
31 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
3400	jsvlbp.exe

flow	ioc
30	api.ipify.org
31	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\jsvlbp.job	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
File created	C:\Windows\Tasks\jsvlbp.job	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2264 548 WerFault.exe 4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

pid	pid_target	process	target process
2264	548	WerFault.exe	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

pid	process
548	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
548	4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe

C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe
"C:\Users\Admin\AppData\Local\Temp\4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 948
  2⤵
  - Program crash
  PID:2264

C:\ProgramData\qfrtrom\jsvlbp.exe
C:\ProgramData\qfrtrom\jsvlbp.exe start
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 548 -ip 548
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qfrtrom\jsvlbp.exe

MD5
7f1fec40c35280a72c4863430821e0b5

SHA1
6bc22f20dd9a338224db71dc8856587c48376190

SHA256
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

SHA512
681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Download Submit
C:\ProgramData\qfrtrom\jsvlbp.exe

MD5
7f1fec40c35280a72c4863430821e0b5

SHA1
6bc22f20dd9a338224db71dc8856587c48376190

SHA256
4bf2d837a68c2705c50b24c83381fdd039bb3e79ce31fbf06d9e5d603192984e

SHA512
681b745e3fd3aab3ea7c7f65e8bec064a4f067f8dfddae0db7a6a1e58e8fba744cd0846e1b3882d69f16df236e0b064c7cf512ca8c3079f8403ef8374c8b9ca7

Download Submit
memory/548-130-0x0000000004840000-0x0000000004846000-memory.dmp

Filesize
24KB

Download
memory/548-131-0x0000000004850000-0x0000000004859000-memory.dmp

Filesize
36KB

Download
memory/548-132-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download
memory/3400-135-0x0000000000400000-0x00000000046C7000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing