systembc | 1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a

General

Target

1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe
Size

254KB
MD5

db935d9703763461691ff0250366cfcc
SHA1

711569fe53a73d8083bc895f731e80a9a08d3814
SHA256

1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a
SHA512

d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

fjqgn.exe

pid process

1416 fjqgn.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip4.seeip.org
7 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1416	fjqgn.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org
7	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe

description	ioc	process
File created	C:\Windows\Tasks\fjqgn.job	1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe
File opened for modification	C:\Windows\Tasks\fjqgn.job	1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe

pid process

548 1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe

pid	process
548	1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1508 wrote to memory of 1416	1508	taskeng.exe	fjqgn.exe
PID 1508 wrote to memory of 1416	1508	taskeng.exe	fjqgn.exe
PID 1508 wrote to memory of 1416	1508	taskeng.exe	fjqgn.exe
PID 1508 wrote to memory of 1416	1508	taskeng.exe	fjqgn.exe

C:\Users\Admin\AppData\Local\Temp\1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe
"C:\Users\Admin\AppData\Local\Temp\1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Windows\system32\taskeng.exe
taskeng.exe {A7010D12-A3DC-48B7-B820-63159B4F1EBC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\ProgramData\vopsr\fjqgn.exe
C:\ProgramData\vopsr\fjqgn.exe start
2⤵
- Executes dropped EXE
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vopsr\fjqgn.exe
Filesize
254KB

MD5
db935d9703763461691ff0250366cfcc

SHA1
711569fe53a73d8083bc895f731e80a9a08d3814

SHA256
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a

SHA512
d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555

Download Submit
C:\ProgramData\vopsr\fjqgn.exe
Filesize
254KB

MD5
db935d9703763461691ff0250366cfcc

SHA1
711569fe53a73d8083bc895f731e80a9a08d3814

SHA256
1cbfeebc0561f8989bd66b25807a8d20cbe1ef91b021b16296c38ca02603448a

SHA512
d50c59b46ea4488560a9c343ad2108a3db47e0d33f636758362a2ed3d014f5feab6b0143196fb4ab116fec120433346cf2b43f19341a831cd7e0585c28c31555

Download Submit
memory/548-54-0x0000000002494000-0x000000000249B000-memory.dmp

Filesize
28KB

Download
memory/548-55-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/548-56-0x0000000002494000-0x000000000249B000-memory.dmp

Filesize
28KB

Download
memory/548-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/548-58-0x0000000000400000-0x00000000022FC000-memory.dmp

Filesize
31.0MB

Download
memory/1416-60-0x0000000000000000-mapping.dmp

Download
memory/1416-62-0x00000000023B4000-0x00000000023BB000-memory.dmp

Filesize
28KB

Download
memory/1416-64-0x00000000023B4000-0x00000000023BB000-memory.dmp

Filesize
28KB

Download
memory/1416-65-0x0000000000400000-0x00000000022FC000-memory.dmp

Filesize
31.0MB

Download

Analysis

Sharing