systembc | 722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287

Resubmissions

17-04-2024 12:21

240417-pjbxssee52 10

17-04-2024 12:20

17-04-2024 12:20

17-04-2024 12:20

17-04-2024 12:20

17-04-2024 06:15

Analysis

max time kernel
598s
max time network
599s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe
Size

856KB
MD5

f7d59f44fee4981011624cfad18f5337
SHA1

db1cb01bfb123b2f5fb1240d57f263573d90433f
SHA256

722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287
SHA512

633774cda15ad084b8aa6cdde1783450c3bafdfb744cf3e79066632e785261f93e520b5a0f346623727f2158f562b691ab16b0e55bc209f364414843df929965
SSDEEP

1536:ysXQ0yVN2gV0GnoX1kPYqwtFUNn0WJWsa9tjUQukOVRct3Z3zAtp:xQX2gV1lwqaFFF9tjUXfVRo

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

asdasd08.com:4039

asdasd08.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2308	vvgitr.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.216.223.3

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
7	api.ipify.org
8	ip4.seeip.org
9	ip4.seeip.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\vvgitr.job	722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe
File opened for modification	C:\Windows\Tasks\vvgitr.job	722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2308	2860	taskeng.exe	29
PID 2860 wrote to memory of 2308	2860	taskeng.exe	29
PID 2860 wrote to memory of 2308	2860	taskeng.exe	29
PID 2860 wrote to memory of 2308	2860	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe
"C:\Users\Admin\AppData\Local\Temp\722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2864

C:\Windows\system32\taskeng.exe
taskeng.exe {11E7E176-000F-48A1-A7A8-C91839E9A31F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\ProgramData\agjoruw\vvgitr.exe
  C:\ProgramData\agjoruw\vvgitr.exe start
  2⤵
  - Executes dropped EXE
  PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\agjoruw\vvgitr.exe

Filesize
856KB

MD5
f7d59f44fee4981011624cfad18f5337

SHA1
db1cb01bfb123b2f5fb1240d57f263573d90433f

SHA256
722aff7500dfce8737389cef11282becce37827df3ca9069b68bac66efb02287

SHA512
633774cda15ad084b8aa6cdde1783450c3bafdfb744cf3e79066632e785261f93e520b5a0f346623727f2158f562b691ab16b0e55bc209f364414843df929965

Download Submit