systembc | 90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882

Target

90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe
Size

87KB
MD5

c130eba9ff855403a69ec4adc6ae5db0
SHA1

71c0f3213e23fc9f1c0c5d14c0095c6b59aa7446
SHA256

90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882
SHA512

35308bf15552b0168488eb0dfcf7fac077f79626d9e684a5bd57004d87d7e06ae5aa0c348d9866ccb6aa2e190d3727b8cde5b744f6c5ac5be4ab1aad452e6586

Score

10^/10

Malware Config

Family

systembc

asdasd08.com:4039

asdasd08.xyz:4039

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

svijqh.exe

pid process

1340 svijqh.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1340	svijqh.exe

Drops file in Windows directory 2 IoCs

Processes:

90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe

description	ioc	process
File created	C:\Windows\Tasks\svijqh.job	90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe
File opened for modification	C:\Windows\Tasks\svijqh.job	90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe

pid process

1588 90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe

pid	process
1588	90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 936 wrote to memory of 1340	936	taskeng.exe	svijqh.exe
PID 936 wrote to memory of 1340	936	taskeng.exe	svijqh.exe
PID 936 wrote to memory of 1340	936	taskeng.exe	svijqh.exe
PID 936 wrote to memory of 1340	936	taskeng.exe	svijqh.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {11C400B0-9D9D-46C3-93B8-6A381E1EBC3F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\ProgramData\dwtlcxr\svijqh.exe
C:\ProgramData\dwtlcxr\svijqh.exe start
2⤵
- Executes dropped EXE
PID:1340

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

Impact

C:\ProgramData\dwtlcxr\svijqh.exe
Filesize
87KB

MD5
c130eba9ff855403a69ec4adc6ae5db0

SHA1
71c0f3213e23fc9f1c0c5d14c0095c6b59aa7446

SHA256
90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882

SHA512
35308bf15552b0168488eb0dfcf7fac077f79626d9e684a5bd57004d87d7e06ae5aa0c348d9866ccb6aa2e190d3727b8cde5b744f6c5ac5be4ab1aad452e6586

Download Submit
C:\ProgramData\dwtlcxr\svijqh.exe
Filesize
87KB

MD5
c130eba9ff855403a69ec4adc6ae5db0

SHA1
71c0f3213e23fc9f1c0c5d14c0095c6b59aa7446

SHA256
90334ecb93afa6abb9d5739738b4b03437b0ee1829253bb3c4b966a1bf9f3882

SHA512
35308bf15552b0168488eb0dfcf7fac077f79626d9e684a5bd57004d87d7e06ae5aa0c348d9866ccb6aa2e190d3727b8cde5b744f6c5ac5be4ab1aad452e6586

Download Submit
memory/1340-59-0x0000000000000000-mapping.dmp

Download
memory/1340-62-0x000000000028B000-0x0000000000292000-memory.dmp

Filesize
28KB

Download
memory/1340-63-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/1588-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1588-55-0x000000000305B000-0x0000000003062000-memory.dmp

Filesize
28KB

Download
memory/1588-57-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download