systembc | 816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

General

Target

816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
Size

254KB
MD5

302deb97018b683371ff1b8d316a12dd
SHA1

23d52e65ac280d5ee23d6698f5950ff989f2c39a
SHA256

816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80
SHA512

8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

cvptm.exeooqh.exejvct.exe

pid process

3924 cvptm.exe
3852 ooqh.exe
1512 jvct.exe

pid	process
3924	cvptm.exe
3852	ooqh.exe
1512	jvct.exe

Drops file in Windows directory 5 IoCs

Processes:

816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.execvptm.exeooqh.exe

description	ioc	process
File created	C:\Windows\Tasks\cvptm.job	816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
File opened for modification	C:\Windows\Tasks\cvptm.job	816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
File created	C:\Windows\Tasks\gkhrfseseennxxiirrr.job	cvptm.exe
File created	C:\Windows\Tasks\jvct.job	ooqh.exe
File opened for modification	C:\Windows\Tasks\jvct.job	ooqh.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exeooqh.exe

pid	process
4008	816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
4008	816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
3852	ooqh.exe
3852	ooqh.exe

C:\Users\Admin\AppData\Local\Temp\816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe
"C:\Users\Admin\AppData\Local\Temp\816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\ProgramData\onjgd\cvptm.exe
C:\ProgramData\onjgd\cvptm.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3924

C:\Windows\TEMP\ooqh.exe
C:\Windows\TEMP\ooqh.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3852

C:\ProgramData\gmikuwq\jvct.exe
C:\ProgramData\gmikuwq\jvct.exe start
1⤵
- Executes dropped EXE
PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gmikuwq\jvct.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
C:\ProgramData\gmikuwq\jvct.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
C:\ProgramData\onjgd\cvptm.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
C:\ProgramData\onjgd\cvptm.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
C:\Windows\TEMP\ooqh.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
C:\Windows\Tasks\cvptm.job
Filesize
246B

MD5
8b9badc05f11a93cfc504588c97ff624

SHA1
f9641c2570aa77c767eb8c3ce25beb7d8fb9428b

SHA256
58db9bb1ef80dab5c83309bb8f0b30b1be1297514a503dedb906ab5e5f72352c

SHA512
17ecac71960598a6abb65ea4607e9b77ef7f368a7ed159a513eecf4ec70e8ba36b1fb7eb9c9c13560bf3f480253e77b739a0d2fb1ebd941fe9bdd041aeb32438

Download Submit
C:\Windows\Temp\ooqh.exe
Filesize
254KB

MD5
302deb97018b683371ff1b8d316a12dd

SHA1
23d52e65ac280d5ee23d6698f5950ff989f2c39a

SHA256
816dc3c379ba79217bf4ed44f5c6c4c5582be90bceb693a3f48c7e8fed04ac80

SHA512
8c7947dacdfe2d1985bfa36277e2a04d57dce7db68e88614de23c04efa5e577dd5b159c622f2da486c4f7da6c96b1ad9c3204f7b49d76ff8af0b4abb18c8ec14

Download Submit
memory/1512-134-0x0000000000540000-0x00000000005EE000-memory.dmp

Filesize
696KB

Download
memory/1512-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3852-128-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3852-129-0x0000000000580000-0x00000000006CA000-memory.dmp

Filesize
1.3MB

Download
memory/3852-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3924-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3924-122-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/3924-121-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/4008-115-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/4008-117-0x00000000004F0000-0x000000000059E000-memory.dmp

Filesize
696KB

Download
memory/4008-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing