systembc | da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

General

Target

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
Size

87KB
MD5

dbfa6717c7f896d0d19696866e0dba24
SHA1

78426c577a9d521f96010efaa8d1038773e5f853
SHA256

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24
SHA512

5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

iprs.exe

pid process

5052 iprs.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
23 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
5052	iprs.exe

flow	ioc
22	api.ipify.org
23	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

description	ioc	process
File created	C:\Windows\Tasks\iprs.job	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
File opened for modification	C:\Windows\Tasks\iprs.job	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4300 4780 WerFault.exe da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

pid	pid_target	process	target process
4300	4780	WerFault.exe	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

pid	process
4780	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
4780	da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe

C:\Users\Admin\AppData\Local\Temp\da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe
"C:\Users\Admin\AppData\Local\Temp\da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 948
2⤵
- Program crash
PID:4300

C:\ProgramData\swwubw\iprs.exe
C:\ProgramData\swwubw\iprs.exe start
1⤵
- Executes dropped EXE
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4780 -ip 4780
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\swwubw\iprs.exe
Filesize
87KB

MD5
dbfa6717c7f896d0d19696866e0dba24

SHA1
78426c577a9d521f96010efaa8d1038773e5f853

SHA256
da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

SHA512
5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Download Submit
C:\ProgramData\swwubw\iprs.exe
Filesize
87KB

MD5
dbfa6717c7f896d0d19696866e0dba24

SHA1
78426c577a9d521f96010efaa8d1038773e5f853

SHA256
da7a3b341caea242aa95018d0e629b2ddc823763b721aeccdb1c9884d8f9ef24

SHA512
5f4601e79e2b2348dfcd56eac79c85160545d3c279bc1027c14aa533a38f0ecd457575144eb4485fbd5d580c7a2865e9bd6aa12f2df123ab8dff888ca586a249

Download Submit
memory/4780-134-0x0000000003278000-0x000000000327F000-memory.dmp

Filesize
28KB

Download
memory/4780-135-0x0000000003278000-0x000000000327F000-memory.dmp

Filesize
28KB

Download
memory/4780-136-0x00000000030F0000-0x00000000030F9000-memory.dmp

Filesize
36KB

Download
memory/4780-137-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/5052-140-0x0000000003103000-0x0000000003109000-memory.dmp

Filesize
24KB

Download
memory/5052-141-0x0000000003103000-0x0000000003109000-memory.dmp

Filesize
24KB

Download
memory/5052-142-0x0000000003860000-0x0000000003869000-memory.dmp

Filesize
36KB

Download
memory/5052-143-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing