systembc | 5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a

General

Target

5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe
Size

222KB
MD5

72cfa33b978294103889481feca472f2
SHA1

0615eb31fd67345b9fa0d57d12a3bcb363152abe
SHA256

5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a
SHA512

d1de5fee23b7a858ec62b849cd8a41cf896ab8b6df4836c65ba36942c1d1727b36832d45713a578c93e8a0b8650bf55923568637d91bb9b2196257a2ae015559

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

fanstat18.club:4044

dexblog90.club:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

rfrts.exerfrts.exe

pid process

1772 rfrts.exe
584 rfrts.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip4.seeip.org
5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org

pid	process
1772	rfrts.exe
584	rfrts.exe

flow	ioc
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe

description	ioc	process
File created	C:\Windows\Tasks\rfrts.job	5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe
File opened for modification	C:\Windows\Tasks\rfrts.job	5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe

pid process

1912 5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe

pid	process
1912	5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2024 wrote to memory of 1772	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 1772	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 1772	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 1772	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 584	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 584	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 584	2024	taskeng.exe	rfrts.exe
PID 2024 wrote to memory of 584	2024	taskeng.exe	rfrts.exe

C:\Users\Admin\AppData\Local\Temp\5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe
"C:\Users\Admin\AppData\Local\Temp\5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\system32\taskeng.exe
taskeng.exe {03C41BC1-E223-4A20-B07E-73AD0A6ED1D6} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\ProgramData\asnmqj\rfrts.exe
C:\ProgramData\asnmqj\rfrts.exe start2
2⤵
- Executes dropped EXE
PID:1772

C:\ProgramData\asnmqj\rfrts.exe
C:\ProgramData\asnmqj\rfrts.exe start2
2⤵
- Executes dropped EXE
PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\asnmqj\rfrts.exe
Filesize
222KB

MD5
72cfa33b978294103889481feca472f2

SHA1
0615eb31fd67345b9fa0d57d12a3bcb363152abe

SHA256
5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a

SHA512
d1de5fee23b7a858ec62b849cd8a41cf896ab8b6df4836c65ba36942c1d1727b36832d45713a578c93e8a0b8650bf55923568637d91bb9b2196257a2ae015559

Download Submit
C:\ProgramData\asnmqj\rfrts.exe
Filesize
222KB

MD5
72cfa33b978294103889481feca472f2

SHA1
0615eb31fd67345b9fa0d57d12a3bcb363152abe

SHA256
5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a

SHA512
d1de5fee23b7a858ec62b849cd8a41cf896ab8b6df4836c65ba36942c1d1727b36832d45713a578c93e8a0b8650bf55923568637d91bb9b2196257a2ae015559

Download Submit
C:\ProgramData\asnmqj\rfrts.exe
Filesize
222KB

MD5
72cfa33b978294103889481feca472f2

SHA1
0615eb31fd67345b9fa0d57d12a3bcb363152abe

SHA256
5d366decba2f9078f457cb35fe7bfd198760683a709f0d33745fc6e0ba59ac8a

SHA512
d1de5fee23b7a858ec62b849cd8a41cf896ab8b6df4836c65ba36942c1d1727b36832d45713a578c93e8a0b8650bf55923568637d91bb9b2196257a2ae015559

Download Submit
memory/584-64-0x0000000000000000-mapping.dmp

Download
memory/584-67-0x00000000005DB000-0x00000000005E1000-memory.dmp

Filesize
24KB

Download
memory/584-68-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1772-59-0x0000000000000000-mapping.dmp

Download
memory/1772-62-0x000000000059B000-0x00000000005A1000-memory.dmp

Filesize
24KB

Download
memory/1772-63-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1912-57-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1912-55-0x00000000006AB000-0x00000000006B2000-memory.dmp

Filesize
28KB

Download
memory/1912-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1912-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing