General

  • Target

    a4ee9f4729596748dec32a90e27547c0.exe.vir

  • Size

    6.1MB

  • Sample

    220930-sxnejadhh9

  • MD5

    a4ee9f4729596748dec32a90e27547c0

  • SHA1

    d8bf8f8e877babd4ee74a63a02e866b8f5e7fd6f

  • SHA256

    250e065988da19ed97e3a9ea5c185059688fbe3c9c240f207dc518377ec53ef9

  • SHA512

    a09a930fed406e2affdbddc725a48405032a02ef877d1c8a3fe50e9344339955b5b4511c6107e430a13e2d2cbd5c7eb636c9e729f6232c9e6f9fa9b2f3e59631

  • SSDEEP

    98304:+Mu3f/jr6blqCtAZhO0oNtHjgKPUbzSTcLYUkwf8M2m51AjLrLrQ/J:+Vf/v6bl3tNXtoQcLs/M2mDAjPLA

Malware Config

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Targets

    • Target

      a4ee9f4729596748dec32a90e27547c0.exe.vir

    • Size

      6.1MB

    • MD5

      a4ee9f4729596748dec32a90e27547c0

    • SHA1

      d8bf8f8e877babd4ee74a63a02e866b8f5e7fd6f

    • SHA256

      250e065988da19ed97e3a9ea5c185059688fbe3c9c240f207dc518377ec53ef9

    • SHA512

      a09a930fed406e2affdbddc725a48405032a02ef877d1c8a3fe50e9344339955b5b4511c6107e430a13e2d2cbd5c7eb636c9e729f6232c9e6f9fa9b2f3e59631

    • SSDEEP

      98304:+Mu3f/jr6blqCtAZhO0oNtHjgKPUbzSTcLYUkwf8M2m51AjLrLrQ/J:+Vf/v6bl3tNXtoQcLs/M2mDAjPLA

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Remote System Discovery

1
T1018

Tasks