Overview

overview

10

Static

static

7

3e58382005...b1.exe

windows7-x64

10

3e58382005...b1.exe

windows10-2004-x64

10

Resubmissions

15/04/2024, 11:19 UTC

240415-nfa1nada96 10

10/04/2024, 03:13 UTC

240410-dqqhzsfh2w 10

10/04/2024, 03:12 UTC

240410-dqp78ace62 10

10/04/2024, 03:12 UTC

240410-dqplpafh2v 10

10/04/2024, 03:12 UTC

240410-dqpaxsce59 10

22/12/2023, 00:59 UTC

231222-bb35escaf6 10

Analysis

  • max time kernel
    144s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2023, 00:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e58382005322606bd6ae12da2f209b1.exe

  • Size

    209KB

  • MD5

    3e58382005322606bd6ae12da2f209b1

  • SHA1

    0afab0c2514061f3d341f720705e54aad4a4f36e

  • SHA256

    9ab42dd0edbb92405904350c550525878312858405e737c7414025dab5981c80

  • SHA512

    13c8df1f07d1584cc827fcc78b691cac78e7cd95ad0e2578974acb9bd8b0c2770d410d743fdc84ffa4c1a431ebe05772715d6bd57489abb7dc249b43b241c1ee

  • SSDEEP

    6144:YDnLgI91y1UkT57iJz/DpURWPSvHuUiYphu1UR:cnLh9yn52rpUR5vHuRYpM+R

Score
10/10
systembctrojanupx

Malware Config

Extracted

Family

systembc

C2

yan0212.com:4039

yan0212.net:4039

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e58382005322606bd6ae12da2f209b1.exe
    "C:\Users\Admin\AppData\Local\Temp\3e58382005322606bd6ae12da2f209b1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2372
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {5A7B7C7A-C460-48A7-826B-792E3C02489B} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\ProgramData\qijmuf\hcbbhjb.exe
      C:\ProgramData\qijmuf\hcbbhjb.exe start
      2⤵
      • Executes dropped EXE
      PID:1260

Network

  • flag-us
    DNS
    yan0212.com
    hcbbhjb.exe
    Remote address:
    8.8.8.8:53
    Request
    yan0212.com
    IN A
    Response
  • flag-us
    DNS
    yan0212.net
    hcbbhjb.exe
    Remote address:
    8.8.8.8:53
    Request
    yan0212.net
    IN A
    Response
  • flag-us
    DNS
    yan0212.net
    hcbbhjb.exe
    Remote address:
    8.8.8.8:53
    Request
    yan0212.net
    IN A
  • flag-us
    DNS
    api.ipify.org
    hcbbhjb.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api4.ipify.org
    api4.ipify.org
    IN A
    64.185.227.156
    api4.ipify.org
    IN A
    104.237.62.212
    api4.ipify.org
    IN A
    173.231.16.77
  • flag-us
    DNS
    ip4.seeip.org
    hcbbhjb.exe
    Remote address:
    8.8.8.8:53
    Request
    ip4.seeip.org
    IN A
    Response
    ip4.seeip.org
    IN A
    23.128.64.141
  • flag-us
    GET
    https://ip4.seeip.org/
    hcbbhjb.exe
    Remote address:
    23.128.64.141:443
    Request
    GET / HTTP/1.0
    Host: ip4.seeip.org
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Sat, 23 Dec 2023 02:51:43 GMT
    Content-Type: text/plain
    Content-Length: 12
    Connection: close
    strict-transport-security: max-age=31536000; includeSubDomains
  • flag-de
    GET
    http://193.23.244.244/tor/status-vote/current/consensus
    hcbbhjb.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/status-vote/current/consensus HTTP/1.0
    Host: 193.23.244.244
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.0 200 OK
    Date: Sat, 23 Dec 2023 02:51:53 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Sat, 23 Dec 2023 03:00:00 GMT
    Vary: X-Or-Diff-From-Consensus
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/15fcfec81522453a58ae3884d660a621a8472816
    hcbbhjb.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/15fcfec81522453a58ae3884d660a621a8472816 HTTP/1.0
    Host: 193.23.244.244
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.0 200 OK
    Date: Sat, 23 Dec 2023 02:52:19 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Mon, 25 Dec 2023 02:52:19 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/c84f248d3b24655cc96e17b3cf41e0b88d28947e
    hcbbhjb.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/c84f248d3b24655cc96e17b3cf41e0b88d28947e HTTP/1.0
    Host: 193.23.244.244
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.0 200 OK
    Date: Sat, 23 Dec 2023 02:52:20 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Mon, 25 Dec 2023 02:52:20 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/6ede2829b8644250aa66b75962f3bf054c2b0414
    hcbbhjb.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/6ede2829b8644250aa66b75962f3bf054c2b0414 HTTP/1.0
    Host: 193.23.244.244
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.0 200 OK
    Date: Sat, 23 Dec 2023 02:52:49 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Mon, 25 Dec 2023 02:52:49 GMT
  • flag-de
    GET
    http://193.23.244.244/tor/server/fp/a6b930286ed9b7233f961b1db0e0f5c9ed949f79
    hcbbhjb.exe
    Remote address:
    193.23.244.244:80
    Request
    GET /tor/server/fp/a6b930286ed9b7233f961b1db0e0f5c9ed949f79 HTTP/1.0
    Host: 193.23.244.244
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    Connection: close
    Response
    HTTP/1.0 200 OK
    Date: Sat, 23 Dec 2023 02:53:09 GMT
    Content-Type: text/plain
    X-Your-Address-Is: 89.149.23.59
    Content-Encoding: identity
    Expires: Mon, 25 Dec 2023 02:53:09 GMT
  • 64.185.227.156:443
    api.ipify.org
    tls
    hcbbhjb.exe
    347 B
     211 B
     5
    5
  • 23.128.64.141:443
    https://ip4.seeip.org/
    tls, http
    hcbbhjb.exe
    932 B
     5.3kB
     11
    12

    HTTP Request

    GET https://ip4.seeip.org/

    HTTP Response

    200
  • 194.109.206.212:80
    hcbbhjb.exe
    152 B
     3
  • 193.23.244.244:80
    http://193.23.244.244/tor/status-vote/current/consensus
    http
    hcbbhjb.exe
    65.7kB
     3.4MB
     1405
    2435

    HTTP Request

    GET http://193.23.244.244/tor/status-vote/current/consensus

    HTTP Response

    200
  • 185.44.81.10:9200
    tls
    hcbbhjb.exe
    460 B
     219 B
     6
    5
  • 46.142.6.126:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 185.26.156.13:40745
    tls
    hcbbhjb.exe
    1.2kB
     3.5kB
     9
    8
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/15fcfec81522453a58ae3884d660a621a8472816
    http
    hcbbhjb.exe
    480 B
     2.8kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/15fcfec81522453a58ae3884d660a621a8472816

    HTTP Response

    200
  • 45.158.77.29:9100
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 194.62.187.100:9000
    tls
    hcbbhjb.exe
    1.3kB
     3.6kB
     11
    11
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/c84f248d3b24655cc96e17b3cf41e0b88d28947e
    http
    hcbbhjb.exe
    770 B
     2.8kB
     8
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/c84f248d3b24655cc96e17b3cf41e0b88d28947e

    HTTP Response

    200
  • 84.54.51.91:443
    tls
    hcbbhjb.exe
    460 B
     219 B
     6
    5
  • 89.147.108.149:9001
    tls
    hcbbhjb.exe
    371 B
     219 B
     6
    5
  • 136.34.168.93:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 81.6.47.149:443
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 95.249.179.143:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 193.108.118.209:80
    tls
    hcbbhjb.exe
    325 B
     172 B
     5
    4
  • 95.214.53.96:8448
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 208.38.228.104:2197
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 78.47.39.90:443
    tls
    hcbbhjb.exe
    377 B
     219 B
     6
    5
  • 45.90.4.235:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 217.82.107.147:9001
    tls
    hcbbhjb.exe
    371 B
     219 B
     6
    5
  • 91.60.108.228:27777
    hcbbhjb.exe
    152 B
     3
  • 107.189.6.38:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 195.154.178.213:9700
    tls
    hcbbhjb.exe
    1.9kB
     3.5kB
     11
    9
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/6ede2829b8644250aa66b75962f3bf054c2b0414
    http
    hcbbhjb.exe
    954 B
     11.5kB
     12
    12

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/6ede2829b8644250aa66b75962f3bf054c2b0414

    HTTP Response

    200
  • 172.105.183.252:443
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 185.119.119.63:8080
    tls
    hcbbhjb.exe
    1.3kB
     3.6kB
     10
    11
  • 193.23.244.244:80
    http://193.23.244.244/tor/server/fp/a6b930286ed9b7233f961b1db0e0f5c9ed949f79
    http
    hcbbhjb.exe
    480 B
     2.7kB
     6
    5

    HTTP Request

    GET http://193.23.244.244/tor/server/fp/a6b930286ed9b7233f961b1db0e0f5c9ed949f79

    HTTP Response

    200
  • 167.99.136.66:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 170.64.170.115:9001
    tls
    hcbbhjb.exe
    377 B
     226 B
     6
    5
  • 142.132.212.158:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 104.237.152.224:4834
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 193.81.127.139:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 195.20.255.175:443
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 185.237.13.88:443
    tls, https
    hcbbhjb.exe
    969 B
     1.5kB
     12
    9
  • 146.190.96.130:9001
    tls
    hcbbhjb.exe
    325 B
     219 B
     5
    5
  • 198.74.52.66:444
    tls
    hcbbhjb.exe
    1.1kB
     3.5kB
     7
    9
  • 8.8.8.8:53
    yan0212.com
    dns
    hcbbhjb.exe
    57 B
     130 B
     1
    1

    DNS Request

    yan0212.com

  • 8.8.8.8:53
    yan0212.net
    dns
    hcbbhjb.exe
    114 B
     130 B
     2
    1

    DNS Request

    yan0212.net

    DNS Request

    yan0212.net

  • 8.8.8.8:53
    api.ipify.org
    dns
    hcbbhjb.exe
    59 B
     126 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    64.185.227.156
    104.237.62.212
    173.231.16.77

  • 8.8.8.8:53
    ip4.seeip.org
    dns
    hcbbhjb.exe
    59 B
     75 B
     1
    1

    DNS Request

    ip4.seeip.org

    DNS Response

    23.128.64.141

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qijmuf\hcbbhjb.exe
    Filesize

    209KB

    MD5

    3e58382005322606bd6ae12da2f209b1

    SHA1

    0afab0c2514061f3d341f720705e54aad4a4f36e

    SHA256

    9ab42dd0edbb92405904350c550525878312858405e737c7414025dab5981c80

    SHA512

    13c8df1f07d1584cc827fcc78b691cac78e7cd95ad0e2578974acb9bd8b0c2770d410d743fdc84ffa4c1a431ebe05772715d6bd57489abb7dc249b43b241c1ee

    Download Submit

  • memory/1260-10-0x0000000004690000-0x0000000004790000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1260-12-0x0000000000400000-0x00000000045F0000-memory.dmp

    Filesize

    65.9MB

    Download

  • memory/1260-16-0x0000000004690000-0x0000000004790000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2372-1-0x00000000046E0000-0x00000000047E0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2372-2-0x0000000000020000-0x0000000000029000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2372-9-0x0000000000400000-0x00000000045F0000-memory.dmp

    Filesize

    65.9MB

    Download

  • memory/2372-13-0x00000000046E0000-0x00000000047E0000-memory.dmp

    Filesize

    1024KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.