systembc | 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e

General

Target

3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
Size

94KB
MD5

8d63b4b33f84d55f999fe7f2c07f1898
SHA1

4b72592eb314d60c52e7dc13a4c99b5afb902bf3
SHA256

3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e
SHA512

d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

avmaqa.exe

pid process

2824 avmaqa.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.ipify.org
38 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
2824	avmaqa.exe

flow	ioc
37	api.ipify.org
38	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

description	ioc	process
File created	C:\Windows\Tasks\avmaqa.job	3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
File opened for modification	C:\Windows\Tasks\avmaqa.job	3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4216 2084 WerFault.exe 3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

pid	pid_target	process	target process
4216	2084	WerFault.exe	3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

pid	process
2084	3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
2084	3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe

C:\Users\Admin\AppData\Local\Temp\3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe
"C:\Users\Admin\AppData\Local\Temp\3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 484
2⤵
- Program crash
PID:4216

C:\ProgramData\cqlaei\avmaqa.exe
C:\ProgramData\cqlaei\avmaqa.exe start
1⤵
- Executes dropped EXE
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2084 -ip 2084
1⤵
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cqlaei\avmaqa.exe
Filesize
94KB

MD5
8d63b4b33f84d55f999fe7f2c07f1898

SHA1
4b72592eb314d60c52e7dc13a4c99b5afb902bf3

SHA256
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e

SHA512
d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263

Download Submit
C:\ProgramData\cqlaei\avmaqa.exe
Filesize
94KB

MD5
8d63b4b33f84d55f999fe7f2c07f1898

SHA1
4b72592eb314d60c52e7dc13a4c99b5afb902bf3

SHA256
3c8bd18b6c4245a7a6279de001da2ae03504a0060e9b61378836dbaf9d6d940e

SHA512
d734614ccba6dd7f3e84e5a39484a45bead737f3d27ab7dbc62654c5a7ea96133c68b02f0e63a073e29105a05ebd2120dd2156d63c901eabad096c65a0e7f263

Download Submit
memory/2084-130-0x0000000001332000-0x0000000001338000-memory.dmp

Filesize
24KB

Download
memory/2084-131-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2084-132-0x0000000000400000-0x0000000000F75000-memory.dmp

Filesize
11.5MB

Download
memory/2824-135-0x000000000102D000-0x0000000001034000-memory.dmp

Filesize
28KB

Download
memory/2824-136-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2824-137-0x0000000000400000-0x0000000000F75000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing