systembc | 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15

General

Target

0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
Size

87KB
MD5

0314c338de096680748e36513fa6385f
SHA1

b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1
SHA256

0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15
SHA512

8000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

hbuc.exe

pid process

4904 hbuc.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.ipify.org
38 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4904	hbuc.exe

flow	ioc
37	api.ipify.org
38	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

description	ioc	process
File created	C:\Windows\Tasks\hbuc.job	0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
File opened for modification	C:\Windows\Tasks\hbuc.job	0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1056 4032 WerFault.exe 0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

pid	pid_target	process	target process
1056	4032	WerFault.exe	0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

pid	process
4032	0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
4032	0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe

C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe
"C:\Users\Admin\AppData\Local\Temp\0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 948
2⤵
- Program crash
PID:1056

C:\ProgramData\hevj\hbuc.exe
C:\ProgramData\hevj\hbuc.exe start
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4032 -ip 4032
1⤵
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hevj\hbuc.exe
Filesize
87KB

MD5
0314c338de096680748e36513fa6385f

SHA1
b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1

SHA256
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15

SHA512
8000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6

Download Submit
C:\ProgramData\hevj\hbuc.exe
Filesize
87KB

MD5
0314c338de096680748e36513fa6385f

SHA1
b73d4dfc157e69d6d8a90d1d5cfa1a34453f73c1

SHA256
0eec212a21b588ae10cc4e1f55c4dddc4e652e47062b46ee8c51a154bc895b15

SHA512
8000e73b976cc6d23aa5015f401fda8f3eee5768c4d79c4715ecff9644cf183a17248f85b2b65379c9a62aa4a388ab23b15e6765043563bdb9f63c2ffcfee5f6

Download Submit
memory/4032-131-0x0000000003070000-0x0000000003079000-memory.dmp

Filesize
36KB

Download
memory/4032-130-0x00000000030C8000-0x00000000030CF000-memory.dmp

Filesize
28KB

Download
memory/4032-132-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/4904-135-0x0000000003263000-0x0000000003269000-memory.dmp

Filesize
24KB

Download
memory/4904-136-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing