systembc | 3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4

General

Target

3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe
Size

292KB
MD5

ab30424e59121773bcf6907da3676128
SHA1

94678f7fa6ea216e695bc19ff07f726122ebac68
SHA256

3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4
SHA512

0d19a610c2e465aff97ce0c3548dbc56baf7f5460d5bb950fc36274cd69fe83c6ab46464d4f57561d8186dfa98fae00ec9984669e7066a00ef4d4221c9a397ac

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

quqj.exe

pid process

4224 quqj.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 api.ipify.org
36 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4224	quqj.exe

flow	ioc
35	api.ipify.org
36	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

description	ioc	process
File created	C:\Windows\Tasks\quqj.job	3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe
File opened for modification	C:\Windows\Tasks\quqj.job	3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3472 2708 WerFault.exe 3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

pid	pid_target	process	target process
3472	2708	WerFault.exe	3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

pid	process
2708	3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe
2708	3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe

C:\Users\Admin\AppData\Local\Temp\3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe
"C:\Users\Admin\AppData\Local\Temp\3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 952
  2⤵
  - Program crash
  PID:3472

C:\ProgramData\uuviucn\quqj.exe
C:\ProgramData\uuviucn\quqj.exe start
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2708 -ip 2708
1⤵
PID:4044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uuviucn\quqj.exe

Filesize
292KB

MD5
ab30424e59121773bcf6907da3676128

SHA1
94678f7fa6ea216e695bc19ff07f726122ebac68

SHA256
3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4

SHA512
0d19a610c2e465aff97ce0c3548dbc56baf7f5460d5bb950fc36274cd69fe83c6ab46464d4f57561d8186dfa98fae00ec9984669e7066a00ef4d4221c9a397ac

Download Submit
C:\ProgramData\uuviucn\quqj.exe

Filesize
292KB

MD5
ab30424e59121773bcf6907da3676128

SHA1
94678f7fa6ea216e695bc19ff07f726122ebac68

SHA256
3fa6ec8527cec4045940e5d3fdaa518b23fd38f5d11645ee72e618d992b2bbb4

SHA512
0d19a610c2e465aff97ce0c3548dbc56baf7f5460d5bb950fc36274cd69fe83c6ab46464d4f57561d8186dfa98fae00ec9984669e7066a00ef4d4221c9a397ac

Download Submit
memory/2708-130-0x0000000006400000-0x0000000006406000-memory.dmp

Filesize
24KB

Download
memory/2708-131-0x0000000006410000-0x0000000006419000-memory.dmp

Filesize
36KB

Download
memory/2708-132-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download
memory/4224-135-0x0000000004F90000-0x0000000004F99000-memory.dmp

Filesize
36KB

Download
memory/4224-136-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing