systembc | b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

General

Target

b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
Size

89KB
MD5

ef794afbd770b7ee3c8a9ccffb9810fe
SHA1

1bc62eeef9f672fbde7df2de77b15b25dbc87610
SHA256

b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816
SHA512

bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

23hfdne.com:4035

23hfdne.xyz:4035

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qskbq.exe

pid process

1484 qskbq.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1484	qskbq.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\qskbq.job	b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
File created	C:\Windows\Tasks\qskbq.job	b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4400 4260 WerFault.exe b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

pid	pid_target	process	target process
4400	4260	WerFault.exe	b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

pid	process
4260	b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
4260	b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
"C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 956
2⤵
- Program crash
PID:4400

C:\ProgramData\oeaj\qskbq.exe
C:\ProgramData\oeaj\qskbq.exe start
1⤵
- Executes dropped EXE
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4260 -ip 4260
1⤵
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oeaj\qskbq.exe
Filesize
89KB

MD5
ef794afbd770b7ee3c8a9ccffb9810fe

SHA1
1bc62eeef9f672fbde7df2de77b15b25dbc87610

SHA256
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

SHA512
bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

Download Submit
C:\ProgramData\oeaj\qskbq.exe
Filesize
89KB

MD5
ef794afbd770b7ee3c8a9ccffb9810fe

SHA1
1bc62eeef9f672fbde7df2de77b15b25dbc87610

SHA256
b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

SHA512
bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

Download Submit
memory/1484-136-0x0000000000742000-0x0000000000749000-memory.dmp

Filesize
28KB

Download
memory/1484-137-0x0000000000742000-0x0000000000749000-memory.dmp

Filesize
28KB

Download
memory/1484-138-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4260-130-0x0000000000898000-0x000000000089F000-memory.dmp

Filesize
28KB

Download
memory/4260-131-0x0000000000898000-0x000000000089F000-memory.dmp

Filesize
28KB

Download
memory/4260-132-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/4260-133-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing