systembc | 4aef36151871f3ba664f76cb983c36d3[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

4aef36151871f3ba664f76cb983c36d3.zip
Size

27.3MB
MD5

2a5f3f81788f1c148b23ed3bb1f51bf6
SHA1

c2ba9cab3302ca1fb6d369a1e8a3edaa3e853677
SHA256

0bb78df6c8e049c7a33d2656555e15388a59ee96bde6f221ac5494b959cd60eb
SHA512

32c16d5dfceef5b714a2a6a6fcdbeb8c6575984d5e70cb341ed14012d8951a3f5319442121ae445981b4665db3c5e5114dae41dc2d65cc95dccd5d5de404c15d
SSDEEP

786432:W1HVpI/ZHgDZAgSjEcIiQKFoPIj84PLNA57cZqTox:y1emAGnbIj84PJAcZGc

Score

10^/10

systembc

Malware Config

Extracted

Family

systembc

89.248.163.188:443

Signatures

Systembc family
systembc

Unsigned PE 2 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/server.exe
unpack001/socks32_tor.dll

Files

4aef36151871f3ba664f76cb983c36d3.zip
.zip
install.txt
server.exe
.exe windows x64

20293b10112f971cfd5c0d157ef0eef1

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

user32

wsprintfA
MessageBoxA

ws2_32

shutdown
recv
send
WSAIoctl
select
WSACleanup
accept
closesocket
listen
bind
htons
htonl
setsockopt
socket
WSAStartup
connect
ioctlsocket

advapi32

RegisterServiceCtrlHandlerA
SetServiceStatus
StartServiceA
OpenServiceA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
StartServiceCtrlDispatcherA

kernel32

WaitForSingleObject
SystemTimeToFileTime
GetSystemTimeAsFileTime
TerminateThread
CreateEventA
VirtualFree
SetEvent
CloseHandle
GetFileSize
CreateFileA
SetUnhandledExceptionFilter
VirtualAlloc
SetFilePointer
WriteFile
ReadFile
GetStdHandle
WriteConsoleA
CopyFileA
GetModuleFileNameA
CreateThread
Sleep
SetCurrentDirectoryA
CreateDirectoryA
ExitProcess

shell32

ShellExecuteExA

Sections

.text
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 1024B - Virtual size: 18.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 512B - Virtual size: 372B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 60B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
server.out
.elf linux x64
socks32_tor.dll
.dll windows x86

6ba2dbf9e1289e7704922c7cf2960ae9

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

LoadCursorA
LoadIconA
CreateWindowExA
RegisterClassA
SendMessageA
ShowWindow
TranslateMessage
UpdateWindow
GetWindowThreadProcessId
GetWindowTextA
GetMessageA
GetClassNameA
DispatchMessageA
DefWindowProcA
wsprintfA

kernel32

WriteFile
WaitForSingleObject
VirtualProtect
CloseHandle
CreateDirectoryA
CreateEventA
CreateFileA
CreateThread
CreateToolhelp32Snapshot
DeleteFileA
ExitThread
FileTimeToSystemTime
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetEnvironmentVariableA
GetLocalTime
GetModuleHandleA
GetTempPathA
GetVolumeInformationA
LocalAlloc
LocalFree
OpenProcess
RemoveDirectoryA
SetEvent
SetFilePointer
Sleep
VirtualFree
VirtualAlloc
SystemTimeToFileTime

advapi32

CryptImportKey
CryptExportKey
CryptDestroyKey
CryptAcquireContextA
GetSidSubAuthority
GetTokenInformation
OpenProcessToken
CryptReleaseContext

wsock32

htons
inet_addr
inet_ntoa
ioctlsocket
select
send
setsockopt
shutdown
socket
recv
connect
closesocket
WSAStartup
WSACleanup

shell32

CommandLineToArgvW

ws2_32

WSAIoctl
getaddrinfo
freeaddrinfo

ole32

CoCreateInstance
CoUninitialize
CoInitialize

netapi32

NetGetJoinInformation

secur32

FreeCredentialsHandle
InitSecurityInterfaceA
AcquireCredentialsHandleA
DecryptMessage
DeleteSecurityContext
EncryptMessage
FreeContextBuffer
GetUserNameExW
GetUserNameExA
QueryContextAttributesA
InitializeSecurityContextA

crypt32

CryptStringToBinaryA
CryptDecodeObject

psapi

GetModuleFileNameExA

Exports

Exports

rundll

Sections

.text
Size: 24KB - Virtual size: 24KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 3KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 1024B - Virtual size: 656B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
socks_tor.exe
www/systembc/geoip/GeoLite2-City.mmdb
www/systembc/geoip/geoip2.phar
.js
www/systembc/index.html
www/systembc/password.php
.js

Sharing

General

Malware Config

Extracted

Signatures

Files

20293b10112f971cfd5c0d157ef0eef1

Headers

DLL Characteristics

File Characteristics

Imports

user32

ws2_32

advapi32

kernel32

shell32

Sections

.text Size: 15KB - Virtual size: 15KB

.rdata Size: 2KB - Virtual size: 2KB

.data Size: 1024B - Virtual size: 18.0MB

.pdata Size: 512B - Virtual size: 372B

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 60B

6ba2dbf9e1289e7704922c7cf2960ae9

Headers

File Characteristics

Imports

user32

kernel32

advapi32

wsock32

shell32

ws2_32

ole32

netapi32

secur32

crypt32

psapi

Exports

Exports

Sections

.text Size: 24KB - Virtual size: 24KB

.rdata Size: 3KB - Virtual size: 2KB

.data Size: 2KB - Virtual size: 1KB

.reloc Size: 1024B - Virtual size: 656B

.text
Size: 15KB - Virtual size: 15KB

.rdata
Size: 2KB - Virtual size: 2KB

.data
Size: 1024B - Virtual size: 18.0MB

.pdata
Size: 512B - Virtual size: 372B

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 60B

.text
Size: 24KB - Virtual size: 24KB

.rdata
Size: 3KB - Virtual size: 2KB

.data
Size: 2KB - Virtual size: 1KB

.reloc
Size: 1024B - Virtual size: 656B