systembc | d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149

General

Target

d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe
Size

292KB
MD5

2c640457ce9535dfe46ba275e358cb50
SHA1

5e3b05d9ef93cf757325a4ec4d0fa1b881b2472d
SHA256

d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149
SHA512

a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

eqrcwej.exe

pid process

1924 eqrcwej.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1924	eqrcwej.exe

flow	ioc
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe

description	ioc	process
File created	C:\Windows\Tasks\eqrcwej.job	d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe
File opened for modification	C:\Windows\Tasks\eqrcwej.job	d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe

pid process

1304 d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe

pid	process
1304	d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1660 wrote to memory of 1924	1660	taskeng.exe	eqrcwej.exe
PID 1660 wrote to memory of 1924	1660	taskeng.exe	eqrcwej.exe
PID 1660 wrote to memory of 1924	1660	taskeng.exe	eqrcwej.exe
PID 1660 wrote to memory of 1924	1660	taskeng.exe	eqrcwej.exe

C:\Users\Admin\AppData\Local\Temp\d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe
"C:\Users\Admin\AppData\Local\Temp\d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\system32\taskeng.exe
taskeng.exe {A0ED2FCF-E1C7-426E-B520-56C824906A61} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\ProgramData\miedbxe\eqrcwej.exe
C:\ProgramData\miedbxe\eqrcwej.exe start
2⤵
- Executes dropped EXE
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\miedbxe\eqrcwej.exe
Filesize
292KB

MD5
2c640457ce9535dfe46ba275e358cb50

SHA1
5e3b05d9ef93cf757325a4ec4d0fa1b881b2472d

SHA256
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149

SHA512
a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f

Download Submit
C:\ProgramData\miedbxe\eqrcwej.exe
Filesize
292KB

MD5
2c640457ce9535dfe46ba275e358cb50

SHA1
5e3b05d9ef93cf757325a4ec4d0fa1b881b2472d

SHA256
d0f9d46bfa6868d957540a3c89625eda161fe34c9658c9c156be512f2973e149

SHA512
a9ef2e06efde9eef6869e7c085eb1612cb1aa76b076d578e73870d75b56e0fd2daa0c03e2f1a3a5ae8c2cff0e9487da4d245b2cf0dd9c8996e15bffd80906a8f

Download Submit
memory/1304-54-0x0000000075B01000-0x0000000075B03000-memory.dmp

Filesize
8KB

Download
memory/1304-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1304-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1304-57-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download
memory/1924-59-0x0000000000000000-mapping.dmp

Download
memory/1924-62-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing