systembc | 09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc

Resubmissions

17-04-2024 12:47

240417-p1aq3ahc4w 10

17-04-2024 12:47

17-04-2024 12:47

17-04-2024 12:46

17-04-2024 12:46

17-04-2024 06:16

Analysis

max time kernel
1203s
max time network
1209s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
Size

221KB
MD5

364d59e179ebcd469dce4f231789732d
SHA1

bc86ba43147fe0d301a32b66193dd2930b8af1d2
SHA256

09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc
SHA512

92ae882cb803b23dc344a42b07ffcc77999f71dcd6b7bf1d2ca7e7306a7642543a2cc85f2bdf18df67151a8b2145509363b2552d4e5361715bc55b934db046fe
SSDEEP

6144:0YlvDFWQtzoa2gUayZSSnBcaa5MKmtVgykK:BNtzPqUgkNM4

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

yan0212.com:4039

yan0212.net:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
3580	deiga.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000500000001e82b-6.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.216.223.2

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	api.ipify.org
49	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\deiga.job	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
File opened for modification	C:\Windows\Tasks\deiga.job	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2816	1928	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1928	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
1928	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe

C:\Users\Admin\AppData\Local\Temp\09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
"C:\Users\Admin\AppData\Local\Temp\09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 488
  2⤵
  - Program crash
  PID:2816

C:\ProgramData\ilsr\deiga.exe
C:\ProgramData\ilsr\deiga.exe start
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1928 -ip 1928
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ilsr\deiga.exe

Filesize
221KB

MD5
364d59e179ebcd469dce4f231789732d

SHA1
bc86ba43147fe0d301a32b66193dd2930b8af1d2

SHA256
09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc

SHA512
92ae882cb803b23dc344a42b07ffcc77999f71dcd6b7bf1d2ca7e7306a7642543a2cc85f2bdf18df67151a8b2145509363b2552d4e5361715bc55b934db046fe

Download Submit
memory/1928-0-0x00000000069A0000-0x00000000069A6000-memory.dmp

Filesize
24KB

Download
memory/1928-1-0x00000000069B0000-0x00000000069B9000-memory.dmp

Filesize
36KB

Download
memory/1928-2-0x0000000000400000-0x0000000004C6C000-memory.dmp

Filesize
72.4MB

Download
memory/3580-9-0x0000000004CA0000-0x0000000004CA6000-memory.dmp

Filesize
24KB

Download
memory/3580-10-0x0000000004D00000-0x0000000004D09000-memory.dmp

Filesize
36KB

Download
memory/3580-12-0x0000000000400000-0x0000000004C6C000-memory.dmp

Filesize
72.4MB

Download