systembc | 1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

General

Target

1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe
Size

223KB
MD5

503506554b1cfa84d2301e262beeb1f2
SHA1

7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA256

1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512

bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

intbv.exerbqm.exesbtj.exe

pid process

2212 intbv.exe
4048 rbqm.exe
1248 sbtj.exe

pid	process
2212	intbv.exe
4048	rbqm.exe
1248	sbtj.exe

Drops file in Windows directory 5 IoCs

Processes:

intbv.exerbqm.exe1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe

description	ioc	process
File created	C:\Windows\Tasks\tcgbvdojgrvbvjnjnae.job	intbv.exe
File created	C:\Windows\Tasks\sbtj.job	rbqm.exe
File opened for modification	C:\Windows\Tasks\sbtj.job	rbqm.exe
File created	C:\Windows\Tasks\intbv.job	1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe
File opened for modification	C:\Windows\Tasks\intbv.job	1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exerbqm.exe

pid	process
1840	1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe
1840	1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe
4048	rbqm.exe
4048	rbqm.exe

C:\Users\Admin\AppData\Local\Temp\1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe
"C:\Users\Admin\AppData\Local\Temp\1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\ProgramData\bfgwm\intbv.exe
C:\ProgramData\bfgwm\intbv.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212

C:\Windows\TEMP\rbqm.exe
C:\Windows\TEMP\rbqm.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\ProgramData\fujncq\sbtj.exe
C:\ProgramData\fujncq\sbtj.exe start
1⤵
- Executes dropped EXE
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bfgwm\intbv.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\bfgwm\intbv.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\fujncq\sbtj.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\fujncq\sbtj.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\Windows\TEMP\rbqm.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\Windows\Tasks\intbv.job
MD5
2f505805720462ce4563d0a0a1d959a2

SHA1
fbb62e7d4cba2718ce129d41700c018d8d8db625

SHA256
9aa0a52e25d765b112f995b81e13a7e12280b211d220183e03f4a7a34b74011f

SHA512
ee538d37d513c2719dda134edc430bf72acb51f00ebfd485ca899d50be09d5f285e54eeca4aa528b496c7f7b211ff4dda7418493d8a0d8607d5afe5ffadf963d

Download Submit
C:\Windows\Temp\rbqm.exe
MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
memory/1248-137-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1248-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-119-0x0000000000520000-0x000000000066A000-memory.dmp

Filesize
1.3MB

Download
memory/1840-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1840-120-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/2212-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2212-126-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/2212-125-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-132-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/4048-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing