systembc | fe74f06d7437d213d96466b4475db2809c60a4e8aced9df338f4a71cf9bc7c16

General

Target

file.exe
Size

4.5MB
MD5

96422a2b982c99614d31dff7f2b64680
SHA1

e8f25aa518b0ef54bcdf770479ef28dd99dd8efc
SHA256

fe74f06d7437d213d96466b4475db2809c60a4e8aced9df338f4a71cf9bc7c16
SHA512

882beba69a0ab2d6f7d048ecb4666b9ba4fe3ea17387ece13fb5bd589ce0db4d7343fbce6e2d836192aed2a920aae4edd1f4b6fa090fe807d54e024dbc234de9
SSDEEP

24576:Epu+lTdASQBeSbtpO2+RZ8XK5OG/wS4gIVnxff9t+oQ9GXiqgbaaz2ub2UbRdL/h:EX

Score

10^/10

systembc zgrat persistence rat trojan

Malware Config

Extracted

Family

systembc

C2

158.58.172.125:4018

185.219.82.231:4018

Signatures

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3168-2-0x0000000006E70000-0x00000000070B0000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-16-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-18-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-65-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-68-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-66-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-62-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-58-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-56-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-54-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-50-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-46-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-44-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-42-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-38-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-36-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-60-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-52-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-49-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-40-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-34-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-32-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-30-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-28-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-26-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-24-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-22-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-20-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-14-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-12-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-10-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-8-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-6-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1
behavioral2/memory/3168-5-0x0000000006E70000-0x00000000070AA000-memory.dmp	family_zgrat_v1

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Drops startup file 1 IoCs

Processes:

file.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Wakgksusfez.vbs file.exe
Executes dropped EXE 2 IoCs

Processes:

$77759ad8$77b04949

pid process

4760 $77759ad8
4396 $77b04949

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Wakgksusfez.vbs	file.exe

pid	process
4760	$77759ad8
4396	$77b04949

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77b04949

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\$77b04949'\""	$77b04949

Suspicious use of SetThreadContext 2 IoCs

Processes:

file.exe

description pid process target process

PID 3168 set thread context of 4760 3168 file.exe $77759ad8
PID 3168 set thread context of 4396 3168 file.exe $77b04949
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1176 4760 WerFault.exe $77759ad8
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

file.exe

pid process

3168 file.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exe

description pid process

Token: SeDebugPrivilege 3168 file.exe
Token: SeDebugPrivilege 3168 file.exe

description	pid	process	target process
PID 3168 set thread context of 4760	3168	file.exe	$77759ad8
PID 3168 set thread context of 4396	3168	file.exe	$77b04949

pid	pid_target	process	target process
1176	4760	WerFault.exe	$77759ad8

pid	process
3168	file.exe

description	pid	process
Token: SeDebugPrivilege	3168	file.exe
Token: SeDebugPrivilege	3168	file.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

file.exe

description	pid	process	target process
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4760	3168	file.exe	$77759ad8
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949
PID 3168 wrote to memory of 4396	3168	file.exe	$77b04949

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\$77759ad8
"C:\Users\Admin\AppData\Local\Temp\$77759ad8"
2⤵
- Executes dropped EXE
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 420
3⤵
- Program crash
PID:1176

C:\Users\Admin\AppData\Local\Temp\$77b04949
"C:\Users\Admin\AppData\Local\Temp\$77b04949"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4760 -ip 4760
1⤵
PID:2480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77759ad8
Filesize
4.5MB

MD5
96422a2b982c99614d31dff7f2b64680

SHA1
e8f25aa518b0ef54bcdf770479ef28dd99dd8efc

SHA256
fe74f06d7437d213d96466b4475db2809c60a4e8aced9df338f4a71cf9bc7c16

SHA512
882beba69a0ab2d6f7d048ecb4666b9ba4fe3ea17387ece13fb5bd589ce0db4d7343fbce6e2d836192aed2a920aae4edd1f4b6fa090fe807d54e024dbc234de9

Download Submit
memory/3168-49-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-8-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-3-0x0000000007660000-0x0000000007C04000-memory.dmp

Filesize
5.6MB

Download
memory/3168-4-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/3168-16-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-18-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-65-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-68-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-66-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-62-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-58-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-56-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-54-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-50-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-46-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-44-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-40-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-38-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-36-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-60-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-52-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3168-32-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-4916-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-42-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-30-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-28-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-26-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-24-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-22-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-20-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-14-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-12-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-10-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-2-0x0000000006E70000-0x00000000070B0000-memory.dmp

Filesize
2.2MB

Download
memory/3168-6-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-5-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/3168-4885-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-4886-0x00000000072F0000-0x000000000736E000-memory.dmp

Filesize
504KB

Download
memory/3168-4887-0x0000000005C90000-0x0000000005CDC000-memory.dmp

Filesize
304KB

Download
memory/3168-4888-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/3168-4889-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1-0x0000000000F20000-0x00000000013A6000-memory.dmp

Filesize
4.5MB

Download
memory/3168-4903-0x0000000007C10000-0x0000000007C64000-memory.dmp

Filesize
336KB

Download
memory/3168-34-0x0000000006E70000-0x00000000070AA000-memory.dmp

Filesize
2.2MB

Download
memory/4396-4915-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads