systembc | da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

General

Target

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
Size

87KB
MD5

dbfa6717c7f896d0d19696866e0dba24
SHA1

78426c577a9d521f96010efaa8d1038773e5f853
SHA256

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24
SHA512

5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

qaxfiwp.exe

pid process

2040 qaxfiwp.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 88.198.207.48
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
2040	qaxfiwp.exe

description	ioc
Destination IP	88.198.207.48

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

description	ioc	process
File created	C:\Windows\Tasks\qaxfiwp.job	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
File opened for modification	C:\Windows\Tasks\qaxfiwp.job	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

pid process

1892 da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

pid	process
1892	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1072 wrote to memory of 2040	1072	taskeng.exe	qaxfiwp.exe
PID 1072 wrote to memory of 2040	1072	taskeng.exe	qaxfiwp.exe
PID 1072 wrote to memory of 2040	1072	taskeng.exe	qaxfiwp.exe
PID 1072 wrote to memory of 2040	1072	taskeng.exe	qaxfiwp.exe

C:\Users\Admin\AppData\Local\Temp\da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
"C:\Users\Admin\AppData\Local\Temp\da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Windows\system32\taskeng.exe
taskeng.exe {B170AF2D-BBC1-4E2C-83E3-133EC68A65FB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\ProgramData\gbcts\qaxfiwp.exe
C:\ProgramData\gbcts\qaxfiwp.exe start
2⤵
- Executes dropped EXE
PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gbcts\qaxfiwp.exe
Filesize
87KB

MD5
dbfa6717c7f896d0d19696866e0dba24

SHA1
78426c577a9d521f96010efaa8d1038773e5f853

SHA256
da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

SHA512
5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Download Submit
C:\ProgramData\gbcts\qaxfiwp.exe
Filesize
87KB

MD5
dbfa6717c7f896d0d19696866e0dba24

SHA1
78426c577a9d521f96010efaa8d1038773e5f853

SHA256
da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

SHA512
5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Download Submit
memory/1892-55-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1892-57-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1892-56-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1892-58-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download
memory/2040-62-0x000000000314B000-0x0000000003152000-memory.dmp

Filesize
28KB

Download
memory/2040-64-0x000000000314B000-0x0000000003152000-memory.dmp

Filesize
28KB

Download
memory/2040-65-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing