systembc | b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825

General

Target

b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe
Size

121KB
MD5

e60119dd588f168109ae6d25a187202d
SHA1

0b3cde408aa8eea80fbf9a8868a6cd194dc2b022
SHA256

b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825
SHA512

731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

ubaph.exe

pid process

1144 ubaph.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip4.seeip.org
4 api.ipify.org
5 api.ipify.org
6 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1144	ubaph.exe

flow	ioc
7	ip4.seeip.org
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe

description	ioc	process
File created	C:\Windows\Tasks\ubaph.job	b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe
File opened for modification	C:\Windows\Tasks\ubaph.job	b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe

pid process

536 b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe

pid	process
536	b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 952 wrote to memory of 1144	952	taskeng.exe	ubaph.exe
PID 952 wrote to memory of 1144	952	taskeng.exe	ubaph.exe
PID 952 wrote to memory of 1144	952	taskeng.exe	ubaph.exe
PID 952 wrote to memory of 1144	952	taskeng.exe	ubaph.exe

C:\Users\Admin\AppData\Local\Temp\b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe
"C:\Users\Admin\AppData\Local\Temp\b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:536

C:\Windows\system32\taskeng.exe
taskeng.exe {E6915D9F-9E1E-4F33-8D26-7856677247E2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\ProgramData\rigd\ubaph.exe
C:\ProgramData\rigd\ubaph.exe start
2⤵
- Executes dropped EXE
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rigd\ubaph.exe
Filesize
121KB

MD5
e60119dd588f168109ae6d25a187202d

SHA1
0b3cde408aa8eea80fbf9a8868a6cd194dc2b022

SHA256
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825

SHA512
731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac

Download Submit
C:\ProgramData\rigd\ubaph.exe
Filesize
121KB

MD5
e60119dd588f168109ae6d25a187202d

SHA1
0b3cde408aa8eea80fbf9a8868a6cd194dc2b022

SHA256
b93187507fed6a52f34bac3af0675b88f672b2e7328dcb983434789050d74825

SHA512
731ed02e9cb967bca1cddf93251ee607d499912df7dfbdf6720faa7339ea25674828d846052852b95bd4f4e8f1a7e287aa2883addd4eb6f1aaf75b13f59b9eac

Download Submit
memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmp

Filesize
8KB

Download
memory/536-56-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/536-55-0x000000000365B000-0x0000000003662000-memory.dmp

Filesize
28KB

Download
memory/536-57-0x0000000000400000-0x00000000031D1000-memory.dmp

Filesize
45.8MB

Download
memory/1144-59-0x0000000000000000-mapping.dmp

Download
memory/1144-62-0x000000000335B000-0x0000000003362000-memory.dmp

Filesize
28KB

Download
memory/1144-63-0x0000000000400000-0x00000000031D1000-memory.dmp

Filesize
45.8MB

Download

Analysis

Sharing