systembc | 57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c

General

Target

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
Size

2.2MB
MD5

f6232a2ae8c13154c0b635900e5d5606
SHA1

3dc773c2edc6dacb581be6ac37e404a091bae760
SHA256

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c
SHA512

8902664b973efd46e56d12f151257bd8988d79ecafa32ee136b171979dac138b7ee98e45b9361f499916013a1fd37572360e6f88cc1fa24d81617328dd6d2ebd
SSDEEP

49152:SIaJIbJosoFb+OX3z1Ek8fBI361rMKuWjRzyzSbxkq1DfDE:5aJIbKVFbd61rMKuWNyzykq1jI

Score

10^/10

systembc evasion trojan

Malware Config

Extracted

Family

systembc

C2

cryptotab.me:4001

portexcloud.xyz:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exestewbui.exestewbui.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	stewbui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	stewbui.exe

Executes dropped EXE 2 IoCs

Processes:

stewbui.exestewbui.exe

pid process

584 stewbui.exe
1564 stewbui.exe

pid	process
584	stewbui.exe
1564	stewbui.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exestewbui.exestewbui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	stewbui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	stewbui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	stewbui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	stewbui.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exestewbui.exestewbui.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine	stewbui.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Wine	stewbui.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exestewbui.exestewbui.exe

pid process

1348 57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
584 stewbui.exe
1564 stewbui.exe

Drops file in Windows directory 2 IoCs

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\stewbui.job	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
File created	C:\Windows\Tasks\stewbui.job	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exestewbui.exestewbui.exe

pid	process
1348	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
1348	57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
584	stewbui.exe
1564	stewbui.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1144 wrote to memory of 584	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 584	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 584	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 584	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 1564	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 1564	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 1564	1144	taskeng.exe	stewbui.exe
PID 1144 wrote to memory of 1564	1144	taskeng.exe	stewbui.exe

C:\Users\Admin\AppData\Local\Temp\57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe
"C:\Users\Admin\AppData\Local\Temp\57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\system32\taskeng.exe
taskeng.exe {C5309EB0-7549-4244-8B2C-77E388133D62} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\ProgramData\gpas\stewbui.exe
C:\ProgramData\gpas\stewbui.exe start2
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\ProgramData\gpas\stewbui.exe
C:\ProgramData\gpas\stewbui.exe start2
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gpas\stewbui.exe
Filesize
2.2MB

MD5
f6232a2ae8c13154c0b635900e5d5606

SHA1
3dc773c2edc6dacb581be6ac37e404a091bae760

SHA256
57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c

SHA512
8902664b973efd46e56d12f151257bd8988d79ecafa32ee136b171979dac138b7ee98e45b9361f499916013a1fd37572360e6f88cc1fa24d81617328dd6d2ebd

Download Submit
C:\ProgramData\gpas\stewbui.exe
Filesize
2.2MB

MD5
f6232a2ae8c13154c0b635900e5d5606

SHA1
3dc773c2edc6dacb581be6ac37e404a091bae760

SHA256
57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c

SHA512
8902664b973efd46e56d12f151257bd8988d79ecafa32ee136b171979dac138b7ee98e45b9361f499916013a1fd37572360e6f88cc1fa24d81617328dd6d2ebd

Download Submit
C:\ProgramData\gpas\stewbui.exe
Filesize
2.2MB

MD5
f6232a2ae8c13154c0b635900e5d5606

SHA1
3dc773c2edc6dacb581be6ac37e404a091bae760

SHA256
57fe3c34a73768fce9e42473532850c03b47eddcdf878a3afb14318aaacd6b0c

SHA512
8902664b973efd46e56d12f151257bd8988d79ecafa32ee136b171979dac138b7ee98e45b9361f499916013a1fd37572360e6f88cc1fa24d81617328dd6d2ebd

Download Submit
memory/584-61-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/584-66-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download
memory/584-64-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/584-59-0x0000000000000000-mapping.dmp

Download
memory/1348-62-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-54-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/1348-57-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/1348-65-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-56-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download
memory/1348-55-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1564-67-0x0000000000000000-mapping.dmp

Download
memory/1564-69-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/1564-71-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download
memory/1564-72-0x0000000000400000-0x00000000009E0000-memory.dmp

Filesize
5.9MB

Download
memory/1564-73-0x0000000077920000-0x0000000077AA0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads