systembc | 142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971

General

Target

66b2d7c88954a2afe07b15d0f6093c25.exe
Size

229KB
MD5

66b2d7c88954a2afe07b15d0f6093c25
SHA1

1d0b138eaedea0562284741f3028e3adbf3a2f79
SHA256

142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971
SHA512

45821a86e252d2a666b0540eec27a7212c87be5d0146d0e0e39a85b36ac297f08bef7a7defd64a6fa4e98754f829ae95a928e6cc480ab07051dfe4651b1fd061

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vksrjr.exefnmk.exenqohact.exe

pid process

1720 vksrjr.exe
4628 fnmk.exe
3768 nqohact.exe

pid	process
1720	vksrjr.exe
4628	fnmk.exe
3768	nqohact.exe

Drops file in Windows directory 5 IoCs

Processes:

66b2d7c88954a2afe07b15d0f6093c25.exevksrjr.exefnmk.exe

description	ioc	process
File created	C:\Windows\Tasks\vksrjr.job	66b2d7c88954a2afe07b15d0f6093c25.exe
File opened for modification	C:\Windows\Tasks\vksrjr.job	66b2d7c88954a2afe07b15d0f6093c25.exe
File created	C:\Windows\Tasks\nedpcalsfpwaqsfmxfq.job	vksrjr.exe
File created	C:\Windows\Tasks\nqohact.job	fnmk.exe
File opened for modification	C:\Windows\Tasks\nqohact.job	fnmk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3936 384 WerFault.exe 66b2d7c88954a2afe07b15d0f6093c25.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

66b2d7c88954a2afe07b15d0f6093c25.exefnmk.exe

pid process

384 66b2d7c88954a2afe07b15d0f6093c25.exe
384 66b2d7c88954a2afe07b15d0f6093c25.exe
4628 fnmk.exe
4628 fnmk.exe

pid	pid_target	process	target process
3936	384	WerFault.exe	66b2d7c88954a2afe07b15d0f6093c25.exe

pid	process
384	66b2d7c88954a2afe07b15d0f6093c25.exe
384	66b2d7c88954a2afe07b15d0f6093c25.exe
4628	fnmk.exe
4628	fnmk.exe

C:\Users\Admin\AppData\Local\Temp\66b2d7c88954a2afe07b15d0f6093c25.exe
"C:\Users\Admin\AppData\Local\Temp\66b2d7c88954a2afe07b15d0f6093c25.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 244
  2⤵
  - Program crash
  PID:3936

C:\ProgramData\bfnrps\vksrjr.exe
C:\ProgramData\bfnrps\vksrjr.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 384 -ip 384
1⤵
PID:4712

C:\Windows\TEMP\fnmk.exe
C:\Windows\TEMP\fnmk.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\ProgramData\aeph\nqohact.exe
C:\ProgramData\aeph\nqohact.exe start
1⤵
- Executes dropped EXE
PID:3768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aeph\nqohact.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\aeph\nqohact.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\bfnrps\vksrjr.exe

Filesize
229KB

MD5
66b2d7c88954a2afe07b15d0f6093c25

SHA1
1d0b138eaedea0562284741f3028e3adbf3a2f79

SHA256
142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971

SHA512
45821a86e252d2a666b0540eec27a7212c87be5d0146d0e0e39a85b36ac297f08bef7a7defd64a6fa4e98754f829ae95a928e6cc480ab07051dfe4651b1fd061

Download Submit
C:\ProgramData\bfnrps\vksrjr.exe

Filesize
229KB

MD5
66b2d7c88954a2afe07b15d0f6093c25

SHA1
1d0b138eaedea0562284741f3028e3adbf3a2f79

SHA256
142d21e1c1d4b09bd1853f009c1e4bae0e3f4dcff9f9fe8d55e4cc5456d20971

SHA512
45821a86e252d2a666b0540eec27a7212c87be5d0146d0e0e39a85b36ac297f08bef7a7defd64a6fa4e98754f829ae95a928e6cc480ab07051dfe4651b1fd061

Download Submit
C:\Windows\TEMP\fnmk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\vksrjr.job

Filesize
250B

MD5
683481ecc10b5e8bce92990dd8386ad5

SHA1
1afaf72d9ea2fa916b2bf768b128d10909e82329

SHA256
70c7db41fa4754245badfe8f0ade3ca3d7ae0a1937ca25342deeec294fa78212

SHA512
0d1ba9e5e912df685f2b104ad44d1b04addc354256cb6b6cdcefd408c16f6f754096aa6322d8394f95ac825a3973eed7cde5597f124e814b4bec5259327eb275

Download Submit
C:\Windows\Temp\fnmk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/384-131-0x000000000051C000-0x0000000000525000-memory.dmp

Filesize
36KB

Download
memory/384-130-0x000000000051C000-0x0000000000525000-memory.dmp

Filesize
36KB

Download
memory/384-132-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/384-133-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1720-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1720-137-0x00000000007D9000-0x00000000007E1000-memory.dmp

Filesize
32KB

Download
memory/1720-136-0x00000000007D9000-0x00000000007E1000-memory.dmp

Filesize
32KB

Download
memory/3768-147-0x0000000000705000-0x000000000070E000-memory.dmp

Filesize
36KB

Download
memory/3768-148-0x0000000000705000-0x000000000070E000-memory.dmp

Filesize
36KB

Download
memory/3768-149-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4628-141-0x0000000000605000-0x000000000060E000-memory.dmp

Filesize
36KB

Download
memory/4628-143-0x0000000000605000-0x000000000060E000-memory.dmp

Filesize
36KB

Download
memory/4628-144-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads