Overview

overview

10

Static

static

10

server.exe

windows7-x64

8

server.exe

windows10-2004-x64

8

server.out

ubuntu-18.04-amd64

7

socks32_tor.dll

windows7-x64

8

socks32_tor.dll

windows10-2004-x64

8

socks_tor.exe

windows7-x64

10

socks_tor.exe

windows10-2004-x64

10

www/system...ip2.js

windows7-x64

1

www/system...ip2.js

windows10-2004-x64

1

www/system...x.html

windows7-x64

1

www/system...x.html

windows10-2004-x64

1

www/system...ord.js

windows7-x64

1

www/system...ord.js

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4aef36151871f3ba664f76cb983c36d3.zip

  • Size

    27.3MB

  • Sample

    230509-fhz4kagb6x

  • MD5

    2a5f3f81788f1c148b23ed3bb1f51bf6

  • SHA1

    c2ba9cab3302ca1fb6d369a1e8a3edaa3e853677

  • SHA256

    0bb78df6c8e049c7a33d2656555e15388a59ee96bde6f221ac5494b959cd60eb

  • SHA512

    32c16d5dfceef5b714a2a6a6fcdbeb8c6575984d5e70cb341ed14012d8951a3f5319442121ae445981b4665db3c5e5114dae41dc2d65cc95dccd5d5de404c15d

  • SSDEEP

    786432:W1HVpI/ZHgDZAgSjEcIiQKFoPIj84PLNA57cZqTox:y1emAGnbIj84PJAcZGc

Score
10/10
systembcevasionlinuxpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

89.248.163.188:443

Targets

    • Target

      server.exe

    • Size

      22KB

    • MD5

      3e5b7dedb99563e687b56384bcd24823

    • SHA1

      17425dd4f9c65e1a5c8b4bcbef298d4dc625ae30

    • SHA256

      c154d0f2c61353e96026f7036e79e8217b078bbf1947d7a2d7753cab657022f1

    • SHA512

      ee97b1e8ab38bced198206a8b78d324c43df4eeb5bd96d484569cafe5527a55b52736708d7e38fcf2925f252e823efe894b5cae443025580c1507c0d920ad389

    • SSDEEP

      384:IMWFbYuh12fGSjkd867JswS/oyVFiGspJjHO5rf1k7SWOoD21pE3nZ6IML:I38uhkfGS8W/rVFiGspJGrq7SAspcyL

    Score
    8/10
    evasion

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    behavioral1behavioral2

    • Target

      server.out

    • Size

      15KB

    • MD5

      4e0a5548d669fb559fc9557c29d1300d

    • SHA1

      20c475d06b77ea4078db08814acebc6c9d8a47ca

    • SHA256

      b69738c655dee0071b1ce37ab5227018ebce01ba5e90d28bd82d63c46e9e63a4

    • SHA512

      7f128a3110bea36b22a3f784b991f0a4b44f2c01a5df837ac0badb3742f8da742f0bd971fa492829db413c9f69b6dd8c64ec6934b33da4ef11d0025522878dbb

    • SSDEEP

      192:GflaEbxJEYalA9qF9Aig5B7PNTa8EBiB6hygBCyftVm5cmF4tGEApxn:3UClA9kxg/FTyUM4gBCyftV2342px

    Score
    7/10
    persistence

    • Creates/modifies Cron job

      Cron allows running tasks on a schedule, and is commonly used for malware persistence.

      persistence

    • Executes dropped EXE

    • Reads runtime system information

      Reads data from /proc virtual filesystem.

    • Writes file to tmp directory

      Malware often drops required files in the /tmp directory.

    behavioral3

    • Target

      socks32_tor.dll

    • Size

      31KB

    • MD5

      ab2358024b8fa1f8d2ba06ff7980734f

    • SHA1

      ee98a887090a0d04408d23ffb87fe933b2287107

    • SHA256

      77eb1714a4eb6c8c138e3a013bb20633122039a71c46d7b579722baaa91c0f34

    • SHA512

      a0958ac9ea9329ff6026ab22ce733970edc4e3604cbc5179c45ac76859789377e9fcdc704c04be30527e75cb362118bbcd8dc3022931111eb66cf9766ee02e74

    • SSDEEP

      768:bS8Mc/ReGneyfP5iqiWsNhGDoh2EfoJdmA:8c/ReGnnhig4Lh2Efo

    Score
    8/10

    • Blocklisted process makes network request

    behavioral4behavioral5

    • Target

      socks_tor.exe

    • Size

      32KB

    • MD5

      af6bc46db7a4d4ab3f4689848de18ddc

    • SHA1

      5e00ccab03314b6c37a0a16f646fb13b8d1072ab

    • SHA256

      c671384b86b7a99d4328402936f51ca9143543f8e6f715c8315e18d2e3c660e6

    • SHA512

      81260938cc4b68cd61ed496ba99a873b2abdce7a57f27f9cbdab2acd1e70cade3acb394f0a2da01e4a3935deccf1b4006f550c38c2dbc1c4f2c19ad22a04250c

    • SSDEEP

      768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo2TZKc6wFg:YLJ8dayaaupDobnpo2wZu

    Score
    10/10
    systembctrojan

    • SystemBC

      SystemBC is a proxy and remote administration tool first seen in 2019.

      trojansystembc

    • Executes dropped EXE

    behavioral6behavioral7

    • Target

      www/systembc/geoip/geoip2.phar

    • Size

      347KB

    • MD5

      71d14334860b780ee91902ea71d7518a

    • SHA1

      7316e1354447c369fd991d5a7db6b923f3c886f0

    • SHA256

      7f7a6ba15f126642ea88c6cf9354f561f6fb86948dd713ac3d8af5d169d25128

    • SHA512

      bb42ebf6e9203175cc2cc3aaa6d20b0fbe56d1dfa0545513dc55c4efd8876514b0a22d7289cebd7cc36319342eed061df801efd391e5e85bcbc9dbc0ff4dc319

    • SSDEEP

      6144:VsRsRTZMPNc5Wb7qxz7d9/UaNR6dTd4tL2b0ObTDdTDFTXjR7:VsRsRTZMPNce+1576f4tLe0ObTpNjR7

    Score
    1/10
    behavioral8behavioral9

    • Target

      www/systembc/index.html

    • Size

      16B

    • MD5

      f5a101e1a581bd03a5709b5c36f4c9c5

    • SHA1

      86548e7c6168d3d05819da7b4c4c94547bea43b5

    • SHA256

      a14b2375d7042a76207b40292ea3b5dec759b9908c566d5701493e1e6b381242

    • SHA512

      df6337bd65e4e4a01c256d55eb4cb11576e5b1da2c729c8b251a2f4752fb3128aa91667d58b938aec334651ea30b420a90459214f05cc70b8cda6b6d67564e9a

    Score
    1/10
    behavioral10behavioral11

    • Target

      www/systembc/password.php

    • Size

      27KB

    • MD5

      076b51a0d49cb77762f21c5855e2b95e

    • SHA1

      2380fe6f1f0cf67dacce22aebe143c06e31ab18a

    • SHA256

      61fad625af0ae280a5f89d2c407abffd9f7654e191a4b336f9db8ed00cdebda1

    • SHA512

      ed149eb3da34f2333637fe0704fb8197886159afb05c069ffae03ec830076d72419bc9924320498322b2a846f523cbcac93f3a2c580ffc9df3bccf04b425b906

    • SSDEEP

      384:Bx8SVq9RuqK4d1lBwWWL4jfawH/LT/waX+P65:JVoRNaLcLjXx5

    Score
    1/10
    behavioral12behavioral13

MITRE ATT&CK Enterprise v6

Tasks