systembc | 271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2

General

Target

271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe
Size

308KB
MD5

ffcf9dc241ae44958360fce0600d1f79
SHA1

f469de123bbb6fc61d72a95b85260fc3b2f33ac4
SHA256

271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2
SHA512

f923c49c078c15063ae6a96730286bbeeab0dd74f6f3b90edf6b57665cb288e6e1e013134593ace34756eef6ea650ed051295ea5de070fdf8465aeb4373e40df

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

sdkorva.exe

pid process

1396 sdkorva.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.ipify.org
19 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1396	sdkorva.exe

flow	ioc
18	api.ipify.org
19	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

description	ioc	process
File created	C:\Windows\Tasks\sdkorva.job	271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe
File opened for modification	C:\Windows\Tasks\sdkorva.job	271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1736 984 WerFault.exe 271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

pid	pid_target	process	target process
1736	984	WerFault.exe	271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

pid	process
984	271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe
984	271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe

C:\Users\Admin\AppData\Local\Temp\271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe
"C:\Users\Admin\AppData\Local\Temp\271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 476
  2⤵
  - Program crash
  PID:1736

C:\ProgramData\ucikij\sdkorva.exe
C:\ProgramData\ucikij\sdkorva.exe start
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 984 -ip 984
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ucikij\sdkorva.exe

Filesize
308KB

MD5
ffcf9dc241ae44958360fce0600d1f79

SHA1
f469de123bbb6fc61d72a95b85260fc3b2f33ac4

SHA256
271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2

SHA512
f923c49c078c15063ae6a96730286bbeeab0dd74f6f3b90edf6b57665cb288e6e1e013134593ace34756eef6ea650ed051295ea5de070fdf8465aeb4373e40df

Download Submit
C:\ProgramData\ucikij\sdkorva.exe

Filesize
308KB

MD5
ffcf9dc241ae44958360fce0600d1f79

SHA1
f469de123bbb6fc61d72a95b85260fc3b2f33ac4

SHA256
271fe3448d93bd8763141e498c63551bfbd4633c83f51af3a20d7d97120a05f2

SHA512
f923c49c078c15063ae6a96730286bbeeab0dd74f6f3b90edf6b57665cb288e6e1e013134593ace34756eef6ea650ed051295ea5de070fdf8465aeb4373e40df

Download Submit
memory/984-130-0x0000000000030000-0x0000000000036000-memory.dmp

Filesize
24KB

Download
memory/984-131-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/984-132-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1396-135-0x0000000000030000-0x0000000000036000-memory.dmp

Filesize
24KB

Download
memory/1396-136-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing