systembc | 023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

General

Target

023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe
Size

230KB
MD5

3cbe19c2cf88bfbc4eac2980aad96aa2
SHA1

3c94a02287f9307fe28a47770226098ce5081793
SHA256

023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f
SHA512

c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

xqbmm.execomtlx.exehpju.exe

pid process

3628 xqbmm.exe
1788 comtlx.exe
3988 hpju.exe

pid	process
3628	xqbmm.exe
1788	comtlx.exe
3988	hpju.exe

Drops file in Windows directory 5 IoCs

Processes:

xqbmm.execomtlx.exe023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe

description	ioc	process
File created	C:\Windows\Tasks\fnhrstghisbumopbcdn.job	xqbmm.exe
File created	C:\Windows\Tasks\hpju.job	comtlx.exe
File opened for modification	C:\Windows\Tasks\hpju.job	comtlx.exe
File created	C:\Windows\Tasks\xqbmm.job	023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe
File opened for modification	C:\Windows\Tasks\xqbmm.job	023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.execomtlx.exe

pid	process
1576	023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe
1576	023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe
1788	comtlx.exe
1788	comtlx.exe

C:\Users\Admin\AppData\Local\Temp\023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe
"C:\Users\Admin\AppData\Local\Temp\023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1576

C:\ProgramData\tivbom\xqbmm.exe
C:\ProgramData\tivbom\xqbmm.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3628

C:\Windows\TEMP\comtlx.exe
C:\Windows\TEMP\comtlx.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\ProgramData\jcoedq\hpju.exe
C:\ProgramData\jcoedq\hpju.exe start
1⤵
- Executes dropped EXE
PID:3988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jcoedq\hpju.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
C:\ProgramData\jcoedq\hpju.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
C:\ProgramData\tivbom\xqbmm.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
C:\ProgramData\tivbom\xqbmm.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
C:\Windows\TEMP\comtlx.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
C:\Windows\Tasks\xqbmm.job

MD5
dab7ceb9fcd1c65245157904ce0144ef

SHA1
58683c6cf156d6f90d0433988a2fca9edd8fda3c

SHA256
1f9f5268f31166c1449e7c452c7b647a8e0e3fc81f7e9eb4e94059f05f07bf98

SHA512
c3501b4bb4827571cdbdb247624416fc544be6cb7fe0570f32a404a7a76c83431018b1adc6c8f90b64d2bad88f91f329cea6d6044259c167c9ff4e667dcd545e

Download Submit
C:\Windows\Temp\comtlx.exe

MD5
3cbe19c2cf88bfbc4eac2980aad96aa2

SHA1
3c94a02287f9307fe28a47770226098ce5081793

SHA256
023e0ac5b8ee582ac8d8c1f36b96c8a87263e360428b0003b3159c876604be5f

SHA512
c04e79744650e128156533f8d06798090a24f4852c96bf6f3506350fc101cfc4f6fe6dc2c25ec62ec343c8dc544cf6bf47d5e8f1f5ad734cb69ca26e4c645458

Download Submit
memory/1576-115-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/1576-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1576-116-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/1788-128-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/1788-129-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3628-123-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3628-122-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3628-121-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/3988-132-0x0000000000734000-0x000000000073D000-memory.dmp

Filesize
36KB

Download
memory/3988-133-0x0000000000734000-0x000000000073D000-memory.dmp

Filesize
36KB

Download
memory/3988-134-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3988-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing