systembc | cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

General

Target

cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe
Size

268KB
MD5

e598980dec936d77df5c353f49145ed3
SHA1

7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090
SHA256

cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f
SHA512

10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

athj.exeahxefhi.exefgwu.exe

pid process

2552 athj.exe
3856 ahxefhi.exe
3892 fgwu.exe

pid	process
2552	athj.exe
3856	ahxefhi.exe
3892	fgwu.exe

Drops file in Windows directory 5 IoCs

Processes:

cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exeathj.exeahxefhi.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\athj.job	cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe
File created	C:\Windows\Tasks\xtafnmwdwhnxekdpknh.job	athj.exe
File created	C:\Windows\Tasks\fgwu.job	ahxefhi.exe
File opened for modification	C:\Windows\Tasks\fgwu.job	ahxefhi.exe
File created	C:\Windows\Tasks\athj.job	cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exeahxefhi.exe

pid	process
3468	cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe
3468	cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe
3856	ahxefhi.exe
3856	ahxefhi.exe

C:\Users\Admin\AppData\Local\Temp\cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe
"C:\Users\Admin\AppData\Local\Temp\cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\ProgramData\nvbsrqo\athj.exe
C:\ProgramData\nvbsrqo\athj.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2552

C:\Windows\TEMP\ahxefhi.exe
C:\Windows\TEMP\ahxefhi.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3856

C:\ProgramData\hbhb\fgwu.exe
C:\ProgramData\hbhb\fgwu.exe start
1⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hbhb\fgwu.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
C:\ProgramData\hbhb\fgwu.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
C:\ProgramData\nvbsrqo\athj.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
C:\ProgramData\nvbsrqo\athj.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
C:\Windows\TEMP\ahxefhi.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
C:\Windows\Tasks\athj.job

Filesize
248B

MD5
2be7adfeae7384fae7672ee8689c5d1e

SHA1
a4fc87825850b9e30d8634d6221f47c9c709a9da

SHA256
072c09381ce81a175ab50683739f50eb9f3bf890e9a6b12a97febfb10b577532

SHA512
3ac195bbeaa36ee6c96db8c5c562b05b0b4ff9124ddf870ec13cdf4ea71f36b466499e38674e6dc7dd9504af95bc73dc55653054345be125f861ffeef4c29188

Download Submit
C:\Windows\Temp\ahxefhi.exe

Filesize
268KB

MD5
e598980dec936d77df5c353f49145ed3

SHA1
7fac4ec0ebb8b22e05823ed8a4dc552e4f1cf090

SHA256
cf5066857f0e7419c2473c381a8a9071027c5ba608e28bb1da4877bf92bb628f

SHA512
10e9b19a607ef7d3b52f39a8d46c9a4c9a0e01b31ce76fb225a70b8d54aab1b4ff31c012ea0e84dae7d859be065f3608dc10117ed4e619576cdae7e6df558c99

Download Submit
memory/2552-121-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/2552-122-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2552-123-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3468-115-0x00000000006A7000-0x00000000006B0000-memory.dmp

Filesize
36KB

Download
memory/3468-114-0x00000000006A7000-0x00000000006B0000-memory.dmp

Filesize
36KB

Download
memory/3468-116-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/3468-117-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3856-128-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/3856-129-0x0000000000570000-0x0000000000579000-memory.dmp

Filesize
36KB

Download
memory/3856-130-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3892-133-0x00000000006C2000-0x00000000006CA000-memory.dmp

Filesize
32KB

Download
memory/3892-134-0x00000000006C2000-0x00000000006CA000-memory.dmp

Filesize
32KB

Download
memory/3892-135-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download

Analysis

Sharing