General

  • Target

    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

  • Size

    218KB

  • Sample

    220427-wlz6qsfgh5

  • MD5

    f8a0cd4e6952e95016502054cc56454f

  • SHA1

    7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

  • SHA256

    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

  • SHA512

    9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Targets

    • Target

      efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

    • Size

      218KB

    • MD5

      f8a0cd4e6952e95016502054cc56454f

    • SHA1

      7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

    • SHA256

      efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

    • SHA512

      9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

      suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    • Executes dropped EXE

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

MITRE ATT&CK Matrix

Collection

    Command and Control

    Credential Access

      Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation