systembc | f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

General

Target

f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
Size

231KB
MD5

dc7c7aa1d408e4c6aecf7b76c1d0ed99
SHA1

8140b207adad980b61a7eadd77766f08124ed21a
SHA256

f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984
SHA512

1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

bfnp.exedhwrn.exeqpqfr.exe

pid process

4092 bfnp.exe
3880 dhwrn.exe
3840 qpqfr.exe

pid	process
4092	bfnp.exe
3880	dhwrn.exe
3840	qpqfr.exe

Drops file in Windows directory 5 IoCs

Processes:

f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exebfnp.exedhwrn.exe

description	ioc	process
File created	C:\Windows\Tasks\bfnp.job	f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
File opened for modification	C:\Windows\Tasks\bfnp.job	f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
File created	C:\Windows\Tasks\njchlpuafjnswchlpuf.job	bfnp.exe
File created	C:\Windows\Tasks\qpqfr.job	dhwrn.exe
File opened for modification	C:\Windows\Tasks\qpqfr.job	dhwrn.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exedhwrn.exe

pid	process
4008	f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
4008	f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
3880	dhwrn.exe
3880	dhwrn.exe

C:\Users\Admin\AppData\Local\Temp\f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe
"C:\Users\Admin\AppData\Local\Temp\f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\ProgramData\fnvbmg\bfnp.exe
C:\ProgramData\fnvbmg\bfnp.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4092

C:\Windows\TEMP\dhwrn.exe
C:\Windows\TEMP\dhwrn.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3880

C:\ProgramData\hgwfaw\qpqfr.exe
C:\ProgramData\hgwfaw\qpqfr.exe start
1⤵
- Executes dropped EXE
PID:3840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fnvbmg\bfnp.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
C:\ProgramData\fnvbmg\bfnp.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
C:\ProgramData\hgwfaw\qpqfr.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
C:\ProgramData\hgwfaw\qpqfr.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
C:\Windows\TEMP\dhwrn.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
C:\Windows\Tasks\bfnp.job
Filesize
246B

MD5
3d019cd47d32abab41e34aef9be24d4c

SHA1
b3c812abfb62daa35a6ca2caa1cd6afd8d5524d8

SHA256
d8ecb78c5d3ade67ffa3c9d7e1c842a45fd9b1545e0cd4d94c47bfd4096dd386

SHA512
e0245e813b63186b574ab0f2b8886f226ed3246e18aa8e041c7078e4a7824760d0df566a040c3537c451f7a0c739197762a5066bf60711eb2cf1f935fa1f0561

Download Submit
C:\Windows\Temp\dhwrn.exe
Filesize
231KB

MD5
dc7c7aa1d408e4c6aecf7b76c1d0ed99

SHA1
8140b207adad980b61a7eadd77766f08124ed21a

SHA256
f3c082552af86532b5df3ae3fb36c7eb9c96a617ce4b665429eaa62e40ad7984

SHA512
1e9dfcccef11d86564be1bcd20466c87b182845523d8649667d42101fd5798c86a882b99b2562fb6f0258cb2119493ceceadde8dd39d612e5c08ed6d102da2ca

Download Submit
memory/3840-133-0x00000000006B4000-0x00000000006BC000-memory.dmp

Filesize
32KB

Download
memory/3840-134-0x00000000006B4000-0x00000000006BC000-memory.dmp

Filesize
32KB

Download
memory/3840-136-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3840-135-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3880-128-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3880-129-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3880-130-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4008-115-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/4008-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4008-116-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/4092-121-0x00000000006A4000-0x00000000006AD000-memory.dmp

Filesize
36KB

Download
memory/4092-120-0x00000000006A4000-0x00000000006AD000-memory.dmp

Filesize
36KB

Download
memory/4092-123-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4092-122-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing