systembc | 88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9

General

Target

88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
Size

357KB
MD5

32294f57e6775a1395ece90371a9deb3
SHA1

f10794c6e6df36de1d5709492f25b9a5a5a246ae
SHA256

88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9
SHA512

6cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qsxgbs.exe

pid process

1176 qsxgbs.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1176	qsxgbs.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe

description	ioc	process
File created	C:\Windows\Tasks\qsxgbs.job	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
File opened for modification	C:\Windows\Tasks\qsxgbs.job	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2508	1652	WerFault.exe	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
2504	1176	WerFault.exe	qsxgbs.exe
3076	1176	WerFault.exe	qsxgbs.exe
4756	1652	WerFault.exe	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
5032	1652	WerFault.exe	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
4428	1176	WerFault.exe	qsxgbs.exe
4444	1176	WerFault.exe	qsxgbs.exe
4640	1652	WerFault.exe	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe

pid	process
1652	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
1652	88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe

C:\Users\Admin\AppData\Local\Temp\88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe
"C:\Users\Admin\AppData\Local\Temp\88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 488
2⤵
- Program crash
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 944
2⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 956
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 936
2⤵
- Program crash
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1652 -ip 1652
1⤵
PID:2548

C:\ProgramData\ckjme\qsxgbs.exe
C:\ProgramData\ckjme\qsxgbs.exe start
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 208
2⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 768
2⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 772
2⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 868
2⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1176 -ip 1176
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1176 -ip 1176
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1652 -ip 1652
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1652 -ip 1652
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1176 -ip 1176
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1176 -ip 1176
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1652 -ip 1652
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ckjme\qsxgbs.exe
Filesize
357KB

MD5
32294f57e6775a1395ece90371a9deb3

SHA1
f10794c6e6df36de1d5709492f25b9a5a5a246ae

SHA256
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9

SHA512
6cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677

Download Submit
C:\ProgramData\ckjme\qsxgbs.exe
Filesize
357KB

MD5
32294f57e6775a1395ece90371a9deb3

SHA1
f10794c6e6df36de1d5709492f25b9a5a5a246ae

SHA256
88f4f48515fa6a2e7499d28c5d1a6c3558785c1b136ce60c5815a5f9095cb1a9

SHA512
6cf3b10b5b5dc96a57a0ceb7376c31821e821b05900edf95ead5dc70ed2b2d8bab39d950ae6653fce8a1345d9dc0ef15256ccf2116fe3cb16c40713c8cc25677

Download Submit
memory/1176-136-0x0000000000DA4000-0x0000000000DAB000-memory.dmp

Filesize
28KB

Download
memory/1176-137-0x0000000000DA4000-0x0000000000DAB000-memory.dmp

Filesize
28KB

Download
memory/1176-138-0x0000000000D50000-0x0000000000D59000-memory.dmp

Filesize
36KB

Download
memory/1176-139-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download
memory/1652-130-0x0000000000F78000-0x0000000000F7F000-memory.dmp

Filesize
28KB

Download
memory/1652-131-0x0000000000F78000-0x0000000000F7F000-memory.dmp

Filesize
28KB

Download
memory/1652-132-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/1652-133-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads