systembc | da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

General

Target

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Size

87KB
MD5

6852984ac451a05e24c746a7beae2f7e
SHA1

647d364e9c10453271d21d4de892ccdbc1ec938e
SHA256

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8
SHA512

c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

asdasd08.com:4039

asdasd08.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

rihv.exe

pid process

2612 rihv.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

71 api.ipify.org
72 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
2612	rihv.exe

flow	ioc
71	api.ipify.org
72	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

description	ioc	process
File created	C:\Windows\Tasks\rihv.job	da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
File opened for modification	C:\Windows\Tasks\rihv.job	da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4028 4360 WerFault.exe da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

pid	pid_target	process	target process
4028	4360	WerFault.exe	da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

pid	process
4360	da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
4360	da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
"C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 948
2⤵
- Program crash
PID:4028

C:\ProgramData\wrfhdxg\rihv.exe
C:\ProgramData\wrfhdxg\rihv.exe start
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 4360
1⤵
PID:4636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wrfhdxg\rihv.exe
Filesize
87KB

MD5
6852984ac451a05e24c746a7beae2f7e

SHA1
647d364e9c10453271d21d4de892ccdbc1ec938e

SHA256
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

SHA512
c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Download Submit
C:\ProgramData\wrfhdxg\rihv.exe
Filesize
87KB

MD5
6852984ac451a05e24c746a7beae2f7e

SHA1
647d364e9c10453271d21d4de892ccdbc1ec938e

SHA256
da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

SHA512
c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Download Submit
memory/2612-135-0x0000000003082000-0x0000000003089000-memory.dmp

Filesize
28KB

Download
memory/2612-136-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/4360-130-0x00000000032B8000-0x00000000032BF000-memory.dmp

Filesize
28KB

Download
memory/4360-131-0x0000000003200000-0x0000000003209000-memory.dmp

Filesize
36KB

Download
memory/4360-132-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing