systembc | 5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

General

Target

5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
Size

230KB
MD5

51f607442fbf580ed8292dfcdfa5737c
SHA1

d34bbbae67b70c92791662b28e7518e0b72a7727
SHA256

5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792
SHA512

282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fjqjgdk.exegavm.exeprwfo.exe

pid process

2468 fjqjgdk.exe
3880 gavm.exe
3800 prwfo.exe

pid	process
2468	fjqjgdk.exe
3880	gavm.exe
3800	prwfo.exe

Drops file in Windows directory 5 IoCs

Processes:

5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exefjqjgdk.exegavm.exe

description	ioc	process
File created	C:\Windows\Tasks\fjqjgdk.job	5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
File opened for modification	C:\Windows\Tasks\fjqjgdk.job	5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
File created	C:\Windows\Tasks\enebsiixbvaolfkrdqj.job	fjqjgdk.exe
File created	C:\Windows\Tasks\prwfo.job	gavm.exe
File opened for modification	C:\Windows\Tasks\prwfo.job	gavm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exegavm.exe

pid	process
1576	5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
1576	5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
3880	gavm.exe
3880	gavm.exe

C:\Users\Admin\AppData\Local\Temp\5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe
"C:\Users\Admin\AppData\Local\Temp\5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\ProgramData\nbjn\fjqjgdk.exe
C:\ProgramData\nbjn\fjqjgdk.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2468

C:\Windows\TEMP\gavm.exe
C:\Windows\TEMP\gavm.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3880

C:\ProgramData\qaokiq\prwfo.exe
C:\ProgramData\qaokiq\prwfo.exe start
1⤵
- Executes dropped EXE
PID:3800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nbjn\fjqjgdk.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
C:\ProgramData\nbjn\fjqjgdk.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
C:\ProgramData\qaokiq\prwfo.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
C:\ProgramData\qaokiq\prwfo.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
C:\Windows\TEMP\gavm.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
C:\Windows\Tasks\fjqjgdk.job

MD5
64da7efff025457403b16a629fe88076

SHA1
a72aa1d784812353c2e392739fda81b80a7ba6b7

SHA256
b1c1d63ad29c6e49d693f79e125749e1aaf6ed2582e481c9bfd049ef660babb7

SHA512
ad11bde47df4000a8c9b44d38ecb2ad86ce5bf1e440dcb5d6471f6c2ca3a29c2f6888da7372b553f69849c79c275d3d778e5ccb57a45dee6347fcf87cde48656

Download Submit
C:\Windows\Temp\gavm.exe

MD5
51f607442fbf580ed8292dfcdfa5737c

SHA1
d34bbbae67b70c92791662b28e7518e0b72a7727

SHA256
5b3bfabc1a7a0ae3ffa378c4eea625cd4c77cbdc5cc9ed418f888af9be92f792

SHA512
282ccc2afcac56077aaace23ae8ad225ae464f7db2f22d9a37372f827ca5ea58289e5792ff32aba5909c82d93a6e751dba317694722c808d4e559cb5a43a1c8c

Download Submit
memory/1576-116-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1576-117-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1576-115-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/2468-123-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2468-122-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/2468-121-0x0000000000774000-0x000000000077D000-memory.dmp

Filesize
36KB

Download
memory/2468-120-0x0000000000774000-0x000000000077D000-memory.dmp

Filesize
36KB

Download
memory/3800-134-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/3800-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3880-128-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/3880-129-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/3880-130-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing