systembc | b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1

Analysis

Target

b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe
Size

866KB
MD5

fdb9813699083ae48b8e0429602d3914
SHA1

0f33bf725b45aba804f7e3b194a0c28e8fa94885
SHA256

b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1
SHA512

d280e97ee165f062beb54f2f9d1f1bbe92c95a8936ef35f8616b56416b5fb1e9a35b6f27ce4c569bf60b086727b35e6e80d58835eb85ea715ce41972e96387b4

Score

10^/10

systembc trojan

Family

systembc

179.43.178.96:4141

192.168.1.149:4141

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

tdurhs.exe

pid process

768 tdurhs.exe

pid	process
768	tdurhs.exe

Drops file in Windows directory 2 IoCs

Processes:

b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe

description	ioc	process
File created	C:\Windows\Tasks\tdurhs.job	b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe
File opened for modification	C:\Windows\Tasks\tdurhs.job	b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 520 wrote to memory of 768	520	taskeng.exe	tdurhs.exe
PID 520 wrote to memory of 768	520	taskeng.exe	tdurhs.exe
PID 520 wrote to memory of 768	520	taskeng.exe	tdurhs.exe
PID 520 wrote to memory of 768	520	taskeng.exe	tdurhs.exe

C:\Users\Admin\AppData\Local\Temp\b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe
"C:\Users\Admin\AppData\Local\Temp\b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1.exe"
1⤵
- Drops file in Windows directory
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {7357C892-BAF1-4B95-BBAE-3BDA789CAB00} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\ProgramData\nemcow\tdurhs.exe
C:\ProgramData\nemcow\tdurhs.exe start
2⤵
- Executes dropped EXE
PID:768

C:\ProgramData\nemcow\tdurhs.exe
Filesize
866KB

MD5
fdb9813699083ae48b8e0429602d3914

SHA1
0f33bf725b45aba804f7e3b194a0c28e8fa94885

SHA256
b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1

SHA512
d280e97ee165f062beb54f2f9d1f1bbe92c95a8936ef35f8616b56416b5fb1e9a35b6f27ce4c569bf60b086727b35e6e80d58835eb85ea715ce41972e96387b4

Download Submit
C:\ProgramData\nemcow\tdurhs.exe
Filesize
866KB

MD5
fdb9813699083ae48b8e0429602d3914

SHA1
0f33bf725b45aba804f7e3b194a0c28e8fa94885

SHA256
b04c7dce719518a0dbaf507b52933b819f2f977247e1bbf2ad035d98a29804b1

SHA512
d280e97ee165f062beb54f2f9d1f1bbe92c95a8936ef35f8616b56416b5fb1e9a35b6f27ce4c569bf60b086727b35e6e80d58835eb85ea715ce41972e96387b4

Download Submit
memory/768-58-0x0000000000000000-mapping.dmp

Download
memory/768-61-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/1972-54-0x0000000076BC1000-0x0000000076BC3000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1972-56-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download