systembc | 0bb78df6c8e049c7a33d2656555e15388a59ee96bde6f221ac5494b959cd60eb | Triage

Sharing

General

Target

4aef36151871f3ba664f76cb983c36d3.zip
Size

27.3MB
Sample

230509-fhz4kagb6x
MD5

2a5f3f81788f1c148b23ed3bb1f51bf6
SHA1

c2ba9cab3302ca1fb6d369a1e8a3edaa3e853677
SHA256

0bb78df6c8e049c7a33d2656555e15388a59ee96bde6f221ac5494b959cd60eb
SHA512

32c16d5dfceef5b714a2a6a6fcdbeb8c6575984d5e70cb341ed14012d8951a3f5319442121ae445981b4665db3c5e5114dae41dc2d65cc95dccd5d5de404c15d
SSDEEP

786432:W1HVpI/ZHgDZAgSjEcIiQKFoPIj84PLNA57cZqTox:y1emAGnbIj84PJAcZGc

Score

10^/10

systembc evasion linux persistence trojan

Malware Config

Extracted

Family

systembc

C2

89.248.163.188:443

Targets

- Target
  
  server.exe
- Size
  
  22KB
- MD5
  
  3e5b7dedb99563e687b56384bcd24823
- SHA1
  
  17425dd4f9c65e1a5c8b4bcbef298d4dc625ae30
- SHA256
  
  c154d0f2c61353e96026f7036e79e8217b078bbf1947d7a2d7753cab657022f1
- SHA512
  
  ee97b1e8ab38bced198206a8b78d324c43df4eeb5bd96d484569cafe5527a55b52736708d7e38fcf2925f252e823efe894b5cae443025580c1507c0d920ad389
- SSDEEP
  
  384:IMWFbYuh12fGSjkd867JswS/oyVFiGspJjHO5rf1k7SWOoD21pE3nZ6IML:I38uhkfGS8W/rVFiGspJGrq7SAspcyL
Score

8^/10

evasion
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
behavioral1 behavioral2
- Target
  
  server.out
- Size
  
  15KB
- MD5
  
  4e0a5548d669fb559fc9557c29d1300d
- SHA1
  
  20c475d06b77ea4078db08814acebc6c9d8a47ca
- SHA256
  
  b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4
- SHA512
  
  7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb
- SSDEEP
  
  192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px
Score

7^/10

persistence
- Creates/modifies Cron job
  Cron allows running tasks on a schedule, and is commonly used for malware persistence.
  persistence
- Executes dropped EXE
- Reads runtime system information
  Reads data from /proc virtual filesystem.
- Writes file to tmp directory
  Malware often drops required files in the /tmp directory.
behavioral3
- Target
  
  socks32_tor.dll
- Size
  
  31KB
- MD5
  
  ab2358024b8fa1f8d2ba06ff7980734f
- SHA1
  
  ee98a887090a0d04408d23ffb87fe933b2287107
- SHA256
  
  77eb1714a4eb6c8c138e3a013bb20633122039a71c46d7b579722baaa91c0f34
- SHA512
  
  a0958ac9ea9329ff6026ab22ce733970edc4e3604cbc5179c45ac76859789377e9fcdc704c04be30527e75cb362118bbcd8dc3022931111eb66cf9766ee02e74
- SSDEEP
  
  768:bS8Mc/ReGneyfP5iqiWsNhGDoh2EfoJdmA:8c/ReGnnhig4Lh2Efo
Score

8^/10
- Blocklisted process makes network request
behavioral4 behavioral5
- Target
  
  socks_tor.exe
- Size
  
  32KB
- MD5
  
  af6bc46db7a4d4ab3f4689848de18ddc
- SHA1
  
  5e00ccab03314b6c37a0a16f646fb13b8d1072ab
- SHA256
  
  c671384b86b7a99d4328402936f51ca9143543f8e6f715c8315e18d2e3c660e6
- SHA512
  
  81260938cc4b68cd61ed496ba99a873b2abdce7a57f27f9cbdab2acd1e70cade3acb394f0a2da01e4a3935deccf1b4006f550c38c2dbc1c4f2c19ad22a04250c
- SSDEEP
  
  768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo2TZKc6wFg:YLJ8dayaaupDobnpo2wZu
Score

10^/10

systembc trojan
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Executes dropped EXE
behavioral6 behavioral7
- Target
  
  www/systembc/geoip/geoip2.phar
- Size
  
  347KB
- MD5
  
  71d14334860b780ee91902ea71d7518a
- SHA1
  
  7316e1354447c369fd991d5a7db6b923f3c886f0
- SHA256
  
  7f7a6ba15f126642ea88c6cf9354f561f6fb86948dd713ac3d8af5d169d25128
- SHA512
  
  bb42ebf6e9203175cc2cc3aaa6d20b0fbe56d1dfa0545513dc55c4efd8876514b0a22d7289cebd7cc36319342eed061df801efd391e5e85bcbc9dbc0ff4dc319
- SSDEEP
  
  6144:VsRsRTZMPNc5Wb7qxz7d9/UaNR6dTd4tL2b0ObTDdTDFTXjR7:VsRsRTZMPNce+1576f4tLe0ObTpNjR7
Score

1^/10
behavioral8 behavioral9
- Target
  
  www/systembc/index.html
- Size
  
  16B
- MD5
  
  f5a101e1a581bd03a5709b5c36f4c9c5
- SHA1
  
  86548e7c6168d3d05819da7b4c4c94547bea43b5
- SHA256
  
  a14b2375d7042a76207b40292ea3b5dec759b9908c566d5701493e1e6b381242
- SHA512
  
  df6337bd65e4e4a01c256d55eb4cb11576e5b1da2c729c8b251a2f4752fb3128aa91667d58b938aec334651ea30b420a90459214f05cc70b8cda6b6d67564e9a
Score

1^/10
behavioral10 behavioral11
- Target
  
  www/systembc/password.php
- Size
  
  27KB
- MD5
  
  076b51a0d49cb77762f21c5855e2b95e
- SHA1
  
  2380fe6f1f0cf67dacce22aebe143c06e31ab18a
- SHA256
  
  61fad625af0ae280a5f89d2c407abffd9f7654e191a4b336f9db8ed00cdebda1
- SHA512
  
  ed149eb3da34f2333637fe0704fb8197886159afb05c069ffae03ec830076d72419bc9924320498322b2a846f523cbcac93f3a2c580ffc9df3bccf04b425b906
- SSDEEP
  
  384:Bx8SVq9RuqK4d1lBwWWL4jfawH/LT/waX+P65:JVoRNaLcLjXx5
Score

1^/10
behavioral12 behavioral13

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13