systembc | 6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c

General

Target

6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe
Size

316KB
MD5

afbea4a6f073cac89a9f3cd6df0844a3
SHA1

3517690fa2065239a6ad49abcf7153248d02cbf0
SHA256

6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c
SHA512

3bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

vtbc.exe

pid process

1348 vtbc.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1348	vtbc.exe

flow	ioc
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\vtbc.job	6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe
File created	C:\Windows\Tasks\vtbc.job	6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe

pid process

1792 6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe

pid	process
1792	6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1264 wrote to memory of 1348	1264	taskeng.exe	vtbc.exe
PID 1264 wrote to memory of 1348	1264	taskeng.exe	vtbc.exe
PID 1264 wrote to memory of 1348	1264	taskeng.exe	vtbc.exe
PID 1264 wrote to memory of 1348	1264	taskeng.exe	vtbc.exe

C:\Users\Admin\AppData\Local\Temp\6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe
"C:\Users\Admin\AppData\Local\Temp\6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {0C25B7A5-31C6-497C-B37C-4B847405118D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\ProgramData\qlpho\vtbc.exe
C:\ProgramData\qlpho\vtbc.exe start
2⤵
- Executes dropped EXE
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qlpho\vtbc.exe
Filesize
316KB

MD5
afbea4a6f073cac89a9f3cd6df0844a3

SHA1
3517690fa2065239a6ad49abcf7153248d02cbf0

SHA256
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c

SHA512
3bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d

Download Submit
C:\ProgramData\qlpho\vtbc.exe
Filesize
316KB

MD5
afbea4a6f073cac89a9f3cd6df0844a3

SHA1
3517690fa2065239a6ad49abcf7153248d02cbf0

SHA256
6d952c5c8a586f51361a500fe63fdaa3432060987f6c3682c6510a716331cd2c

SHA512
3bedf050bbc9ac1ceb059e30efa590fc2db85ef1f0961d36b8f443166ece56a8895755fe5bcbacf6a7a8a3928708b28a9885375ae28b97d9363fc8d90d99c99d

Download Submit
memory/1348-59-0x0000000000000000-mapping.dmp

Download
memory/1348-62-0x0000000000D7A000-0x0000000000D80000-memory.dmp

Filesize
24KB

Download
memory/1348-63-0x0000000000400000-0x0000000000C2B000-memory.dmp

Filesize
8.2MB

Download
memory/1792-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1792-56-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1792-55-0x0000000000D8A000-0x0000000000D90000-memory.dmp

Filesize
24KB

Download
memory/1792-57-0x0000000000400000-0x0000000000C2B000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing