systembc | 2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9

General

Target

2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe
Size

263KB
MD5

98074264b902c847f5bc9ca28b0bd690
SHA1

94c72ed82e131caff62f88fe1e5a611f4c007beb
SHA256

2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9
SHA512

6a00287dadf57a002ca281c9a2349caf0a4bf6ed6510ab77d973a5331f31d12616b903c93ee54e7ef226271f6c256f086aec7572510fbcc4f0fc6503d090a1b1

Score

10^/10

systembc trojan

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

fxame.exe

pid process

2028 fxame.exe

pid	process
2028	fxame.exe

Drops file in Windows directory 2 IoCs

Processes:

2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe

description	ioc	process
File created	C:\Windows\Tasks\fxame.job	2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe
File opened for modification	C:\Windows\Tasks\fxame.job	2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe

pid process

1840 2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe

pid	process
1840	2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1692 wrote to memory of 2028	1692	taskeng.exe	fxame.exe
PID 1692 wrote to memory of 2028	1692	taskeng.exe	fxame.exe
PID 1692 wrote to memory of 2028	1692	taskeng.exe	fxame.exe
PID 1692 wrote to memory of 2028	1692	taskeng.exe	fxame.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {9E3AFF43-7144-44E7-9A3A-C70D00FD44EF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\ProgramData\puag\fxame.exe
C:\ProgramData\puag\fxame.exe start
2⤵
- Executes dropped EXE
PID:2028

C:\ProgramData\puag\fxame.exe
Filesize
263KB

MD5
98074264b902c847f5bc9ca28b0bd690

SHA1
94c72ed82e131caff62f88fe1e5a611f4c007beb

SHA256
2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9

SHA512
6a00287dadf57a002ca281c9a2349caf0a4bf6ed6510ab77d973a5331f31d12616b903c93ee54e7ef226271f6c256f086aec7572510fbcc4f0fc6503d090a1b1

Download Submit
C:\ProgramData\puag\fxame.exe
Filesize
263KB

MD5
98074264b902c847f5bc9ca28b0bd690

SHA1
94c72ed82e131caff62f88fe1e5a611f4c007beb

SHA256
2dc9d1c67be6bd53a8a27d3e76a65bcb177d9b7e2a8858e87e4742f22b4bffa9

SHA512
6a00287dadf57a002ca281c9a2349caf0a4bf6ed6510ab77d973a5331f31d12616b903c93ee54e7ef226271f6c256f086aec7572510fbcc4f0fc6503d090a1b1

Download Submit
memory/1840-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1840-56-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1840-55-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1840-57-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2028-59-0x0000000000000000-mapping.dmp

Download
memory/2028-62-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download