systembc | 64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

General

Target

64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe
Size

255KB
MD5

142939679afaeaf6cf66d3b80ea7d63e
SHA1

149465fd8b48f262bcf361047bb8035b5b1f33a2
SHA256

64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f
SHA512

bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

mhamerm.execrxdvut.exejinp.exe

pid process

3572 mhamerm.exe
2320 crxdvut.exe
3732 jinp.exe

pid	process
3572	mhamerm.exe
2320	crxdvut.exe
3732	jinp.exe

Drops file in Windows directory 5 IoCs

Processes:

mhamerm.execrxdvut.exe64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe

description	ioc	process
File created	C:\Windows\Tasks\qkonfnmqponrquoxdcg.job	mhamerm.exe
File created	C:\Windows\Tasks\jinp.job	crxdvut.exe
File opened for modification	C:\Windows\Tasks\jinp.job	crxdvut.exe
File created	C:\Windows\Tasks\mhamerm.job	64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe
File opened for modification	C:\Windows\Tasks\mhamerm.job	64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.execrxdvut.exe

pid	process
2516	64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe
2516	64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe
2320	crxdvut.exe
2320	crxdvut.exe

C:\Users\Admin\AppData\Local\Temp\64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe
"C:\Users\Admin\AppData\Local\Temp\64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2516

C:\ProgramData\swxa\mhamerm.exe
C:\ProgramData\swxa\mhamerm.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3572

C:\Windows\TEMP\crxdvut.exe
C:\Windows\TEMP\crxdvut.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\ProgramData\qqtkbr\jinp.exe
C:\ProgramData\qqtkbr\jinp.exe start
1⤵
- Executes dropped EXE
PID:3732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qqtkbr\jinp.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\ProgramData\qqtkbr\jinp.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\ProgramData\swxa\mhamerm.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\ProgramData\swxa\mhamerm.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\Windows\TEMP\crxdvut.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\Windows\Tasks\mhamerm.job

Filesize
248B

MD5
5d934d1e2d6ae1edbad87bc6712cb373

SHA1
9c7b92f0f4ca91d448b9d1d02caa128e8704458e

SHA256
bff2b2ba759ab10c49a28d13283c6556ba84d8e49d9a73fe831e6c75dabbecf2

SHA512
df0f569ce6aae093a86d4f1d0921686a930d02c862db6958b5aafae92e1d6b059c6fc28cd12101e30faf3ac7a4e80e25200572bcaeb1adca28955895879a7807

Download Submit
C:\Windows\Temp\crxdvut.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
memory/2320-128-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2320-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2320-129-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2516-116-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/2516-115-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/2516-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3572-121-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download
memory/3572-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3572-122-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3732-133-0x00000000007D2000-0x00000000007DB000-memory.dmp

Filesize
36KB

Download
memory/3732-134-0x00000000007D2000-0x00000000007DB000-memory.dmp

Filesize
36KB

Download
memory/3732-135-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download
memory/3732-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing