systembc | f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572

General

Target

f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe
Size

152KB
MD5

fdc04e9186fa3085fac12d029542ae33
SHA1

168d4d4614d89fa69bb9af26d7373ceae5ea09b3
SHA256

f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572
SHA512

e3f3baa0331d371f22891288542ca04057f06cb0e288c2cb34e7e9ed008116e8f8361ea10dca6a1fd38bbc5093cf1981e51f79b2a128cd569cbf9bc742ad82c0

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

nqboesi.exe

pid process

1696 nqboesi.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
23 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1696	nqboesi.exe

flow	ioc
22	api.ipify.org
23	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

description	ioc	process
File created	C:\Windows\Tasks\nqboesi.job	f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe
File opened for modification	C:\Windows\Tasks\nqboesi.job	f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1860 2608 WerFault.exe f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

pid	pid_target	process	target process
1860	2608	WerFault.exe	f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

pid	process
2608	f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe
2608	f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe

C:\Users\Admin\AppData\Local\Temp\f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe
"C:\Users\Admin\AppData\Local\Temp\f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2608
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 484
  2⤵
  - Program crash
  PID:1860

C:\ProgramData\rixis\nqboesi.exe
C:\ProgramData\rixis\nqboesi.exe start
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2608 -ip 2608
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rixis\nqboesi.exe

Filesize
152KB

MD5
fdc04e9186fa3085fac12d029542ae33

SHA1
168d4d4614d89fa69bb9af26d7373ceae5ea09b3

SHA256
f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572

SHA512
e3f3baa0331d371f22891288542ca04057f06cb0e288c2cb34e7e9ed008116e8f8361ea10dca6a1fd38bbc5093cf1981e51f79b2a128cd569cbf9bc742ad82c0

Download Submit
C:\ProgramData\rixis\nqboesi.exe

Filesize
152KB

MD5
fdc04e9186fa3085fac12d029542ae33

SHA1
168d4d4614d89fa69bb9af26d7373ceae5ea09b3

SHA256
f59636192874b9735dc7a4cb55eb0aa64e5499df1e7154a807b3cc0a46e35572

SHA512
e3f3baa0331d371f22891288542ca04057f06cb0e288c2cb34e7e9ed008116e8f8361ea10dca6a1fd38bbc5093cf1981e51f79b2a128cd569cbf9bc742ad82c0

Download Submit
memory/1696-136-0x0000000003288000-0x000000000328F000-memory.dmp

Filesize
28KB

Download
memory/1696-137-0x0000000003288000-0x000000000328F000-memory.dmp

Filesize
28KB

Download
memory/1696-138-0x0000000000400000-0x0000000002FB2000-memory.dmp

Filesize
43.7MB

Download
memory/2608-130-0x000000000303D000-0x0000000003044000-memory.dmp

Filesize
28KB

Download
memory/2608-131-0x000000000303D000-0x0000000003044000-memory.dmp

Filesize
28KB

Download
memory/2608-132-0x0000000003130000-0x0000000003139000-memory.dmp

Filesize
36KB

Download
memory/2608-133-0x0000000000400000-0x0000000002FB2000-memory.dmp

Filesize
43.7MB

Download

Analysis

Sharing