systembc | 579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

General

Target

579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
Size

224KB
MD5

38dee7a6c89ad17fe74b9c38bc58d9a8
SHA1

f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27
SHA256

579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd
SHA512

ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

estshbb.exeuihcg.exeektbuo.exe

pid process

1556 estshbb.exe
3848 uihcg.exe
3920 ektbuo.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
9 api.ipify.org

pid	process
1556	estshbb.exe
3848	uihcg.exe
3920	ektbuo.exe

flow	ioc
7	api.ipify.org
8	api.ipify.org
9	api.ipify.org

Drops file in Windows directory 5 IoCs

Processes:

uihcg.exe579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exeestshbb.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\ektbuo.job	uihcg.exe
File created	C:\Windows\Tasks\estshbb.job	579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
File opened for modification	C:\Windows\Tasks\estshbb.job	579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
File created	C:\Windows\Tasks\tnqaxhuedlaihpemltj.job	estshbb.exe
File created	C:\Windows\Tasks\ektbuo.job	uihcg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exeuihcg.exe

pid	process
4008	579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
4008	579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
3848	uihcg.exe
3848	uihcg.exe

C:\Users\Admin\AppData\Local\Temp\579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe
"C:\Users\Admin\AppData\Local\Temp\579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\ProgramData\clofc\estshbb.exe
C:\ProgramData\clofc\estshbb.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556

C:\Windows\TEMP\uihcg.exe
C:\Windows\TEMP\uihcg.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\ProgramData\qnggftw\ektbuo.exe
C:\ProgramData\qnggftw\ektbuo.exe start
1⤵
- Executes dropped EXE
PID:3920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\clofc\estshbb.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
C:\ProgramData\clofc\estshbb.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
C:\ProgramData\qnggftw\ektbuo.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
C:\ProgramData\qnggftw\ektbuo.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
C:\Windows\TEMP\uihcg.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
C:\Windows\Tasks\estshbb.job

MD5
9ee65c4b552c4dc8d7d38a460e9aaa21

SHA1
c7e7c7a1b00adb8ea7d53fba75f9c4d68e2a9f95

SHA256
a9a072d3d374ddcfb8df76802cd35b82121d97a50ae999e66e1bf82294dd6c5f

SHA512
7caa299a8c8223b618beab4170058559ab83c8c9718216bd6ff294ec78ae1ac10e413e0168145db8d345f087623834bf404475e4ae6c4f77bb0bee850eb0af98

Download Submit
C:\Windows\Temp\uihcg.exe

MD5
38dee7a6c89ad17fe74b9c38bc58d9a8

SHA1
f80b592e4bc3bf5a6224ceb3589a18d2d1ddbb27

SHA256
579fdf145dec44a51211741a223271c8569de00a212f774afda5c4773273efcd

SHA512
ed939761ddcc794cac9d6b8a949fa6d4515544abbb4e41d352eef5791aeb0e9449caf7a26238d2ee738ee416aab4b6fb78d04dd36656b51134ccd67b62f3d815

Download Submit
memory/1556-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1556-122-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/1556-121-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/3848-128-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/3848-129-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3920-133-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/3920-134-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-115-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/4008-117-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4008-116-0x00000000008B0000-0x00000000008B9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing