systembc | adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

General

Target

adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe
Size

273KB
MD5

d9a7e822d38ef4624cb6c6d6c058bc30
SHA1

3f48b9031f653d55eb5c53a8c99346b0d4f1bd52
SHA256

adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929
SHA512

3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

bijn.exekbuxvr.exealss.exe

pid process

1200 bijn.exe
1268 kbuxvr.exe
4720 alss.exe

pid	process
1200	bijn.exe
1268	kbuxvr.exe
4720	alss.exe

Drops file in Windows directory 5 IoCs

Processes:

adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exebijn.exekbuxvr.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\bijn.job	adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe
File created	C:\Windows\Tasks\dkjvtumksxvdiwnomok.job	bijn.exe
File created	C:\Windows\Tasks\alss.job	kbuxvr.exe
File opened for modification	C:\Windows\Tasks\alss.job	kbuxvr.exe
File created	C:\Windows\Tasks\bijn.job	adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5004 3668 WerFault.exe adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe

pid	pid_target	process	target process
5004	3668	WerFault.exe	adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exekbuxvr.exe

pid	process
3668	adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe
3668	adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe
1268	kbuxvr.exe
1268	kbuxvr.exe

C:\Users\Admin\AppData\Local\Temp\adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe
"C:\Users\Admin\AppData\Local\Temp\adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 484
  2⤵
  - Program crash
  PID:5004

C:\ProgramData\xiqxgnu\bijn.exe
C:\ProgramData\xiqxgnu\bijn.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3668 -ip 3668
1⤵
PID:4164

C:\Windows\TEMP\kbuxvr.exe
C:\Windows\TEMP\kbuxvr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\ProgramData\gvmpf\alss.exe
C:\ProgramData\gvmpf\alss.exe start
1⤵
- Executes dropped EXE
PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gvmpf\alss.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
C:\ProgramData\gvmpf\alss.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
C:\ProgramData\xiqxgnu\bijn.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
C:\ProgramData\xiqxgnu\bijn.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
C:\Windows\TEMP\kbuxvr.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
C:\Windows\Tasks\bijn.job

Filesize
248B

MD5
a3a10d72d3b3711aded27675cef09788

SHA1
de42365e39becd76178004c74cc232a4bccd94ee

SHA256
f7d72070873ae32852195b8f20bc2ab2c7933f58da1b850eaad51bb0e3e04a17

SHA512
1b718ea465eb883326b949e895687efd706ec7d21ce8f5398e2713f0b63a141c05b2173ef63196d7ca5447f0ecd3b2019167a6c74c280413a77fdb8ec3797237

Download Submit
C:\Windows\Temp\kbuxvr.exe

Filesize
273KB

MD5
d9a7e822d38ef4624cb6c6d6c058bc30

SHA1
3f48b9031f653d55eb5c53a8c99346b0d4f1bd52

SHA256
adb4b3905162013e327b67bbeea18e1473aafb6b00a403634bd10cf8b1770929

SHA512
3084f7c27a5b453b8def1c7e8fd0f68ddcc408e57207635192451b92d0885e9ef3fafbb6c20491359a4da8cb06b35b446c11d70fa1fe0185d92d963eed5e9c5f

Download Submit
memory/1200-138-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1200-139-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1200-136-0x0000000000815000-0x000000000081E000-memory.dmp

Filesize
36KB

Download
memory/1200-137-0x0000000000815000-0x000000000081E000-memory.dmp

Filesize
36KB

Download
memory/1268-144-0x0000000000715000-0x000000000071E000-memory.dmp

Filesize
36KB

Download
memory/1268-145-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1268-142-0x0000000000715000-0x000000000071E000-memory.dmp

Filesize
36KB

Download
memory/3668-133-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3668-130-0x0000000000848000-0x0000000000851000-memory.dmp

Filesize
36KB

Download
memory/3668-132-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3668-131-0x0000000000848000-0x0000000000851000-memory.dmp

Filesize
36KB

Download
memory/4720-148-0x0000000000545000-0x000000000054E000-memory.dmp

Filesize
36KB

Download
memory/4720-149-0x0000000000545000-0x000000000054E000-memory.dmp

Filesize
36KB

Download
memory/4720-150-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing