systembc | dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6

Analysis

Target

dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe
Size

997KB
MD5

47d94d73ed4ccd6a310a1527f47fcd8f
SHA1

b229b65f8df84b82672fc7cc2777712adb739662
SHA256

dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6
SHA512

19244662bc12f11f37437a09715d180b7d436309a4c186db84fdb4b331e6e8862dbe7da8143ac16ecd671ff7412244bd5eb66816b9eacd5cfd3b0f7418171b54

Score

10^/10

systembc trojan

Family

systembc

185.33.84.190:4124

45.79.237.92:4124

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

bhtlj.exe

pid process

1284 bhtlj.exe

pid	process
1284	bhtlj.exe

Drops file in Windows directory 2 IoCs

Processes:

dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe

description	ioc	process
File created	C:\Windows\Tasks\bhtlj.job	dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe
File opened for modification	C:\Windows\Tasks\bhtlj.job	dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe

pid process

652 dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe

pid	process
652	dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1208 wrote to memory of 1284	1208	taskeng.exe	bhtlj.exe
PID 1208 wrote to memory of 1284	1208	taskeng.exe	bhtlj.exe
PID 1208 wrote to memory of 1284	1208	taskeng.exe	bhtlj.exe
PID 1208 wrote to memory of 1284	1208	taskeng.exe	bhtlj.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {C81B668D-D04C-4460-AD0F-701B4ACC3C45} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\ProgramData\tabif\bhtlj.exe
C:\ProgramData\tabif\bhtlj.exe start
2⤵
- Executes dropped EXE
PID:1284

C:\ProgramData\tabif\bhtlj.exe
Filesize
997KB

MD5
47d94d73ed4ccd6a310a1527f47fcd8f

SHA1
b229b65f8df84b82672fc7cc2777712adb739662

SHA256
dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6

SHA512
19244662bc12f11f37437a09715d180b7d436309a4c186db84fdb4b331e6e8862dbe7da8143ac16ecd671ff7412244bd5eb66816b9eacd5cfd3b0f7418171b54

Download Submit
C:\ProgramData\tabif\bhtlj.exe
Filesize
997KB

MD5
47d94d73ed4ccd6a310a1527f47fcd8f

SHA1
b229b65f8df84b82672fc7cc2777712adb739662

SHA256
dcf55c3817c98cb1b0092311f51d10154f501349611a8dcea2267c0424b935e6

SHA512
19244662bc12f11f37437a09715d180b7d436309a4c186db84fdb4b331e6e8862dbe7da8143ac16ecd671ff7412244bd5eb66816b9eacd5cfd3b0f7418171b54

Download Submit
memory/652-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/652-55-0x0000000000220000-0x0000000000262000-memory.dmp

Filesize
264KB

Download
memory/652-56-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1284-58-0x0000000000000000-mapping.dmp

Download
memory/1284-61-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download