BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

SystemBC

60
Global rank
41 infographic chevron month
Month rank
35 infographic chevron week
Week rank
846
IOCs

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

RAT
Type
Origin
1 August, 2019
First seen
21 April, 2024
Last seen
Also known as
Coroxy
Socks5 backconnect system

How to analyze SystemBC with ANY.RUN

RAT
Type
Origin
1 August, 2019
First seen
21 April, 2024
Last seen

IOCs

IP addresses
185.215.113.32
69.46.15.147
89.105.201.43
31.44.185.11
31.44.185.6
94.156.69.109
31.41.244.71
193.233.21.140
149.248.3.194
45.140.147.91
192.53.123.202
155.138.219.110
194.61.120.158
46.166.161.93
91.212.150.113
96.30.196.207
45.32.132.182
45.63.66.10
62.173.140.37
146.70.53.169
Hashes
d5b03c003b4035b6b82dfc6ef111f8913eafa15fd2b273734b809a415dc8e46f
d0d5cc74f7dd1c769f745204d31f9758d67824b3fb6a841d8a781d8bcc4a7814
4534720f666686388e22d926047102fd80c63264c5f803a0e36628bd858cfcf4
8d3b3d32caff7db0c467bf2be7c572e67d667527aa9f3974e0d436bdf086b5d9
90840dc2454d579393366cb4cb9b5f813357b9ea3b9d1fb8fab4dfcd52ece396
8688010ffa07da1ff2e930bc2ad3035f87157794538c8356d324459c9968d0f9
ab971c45e2e31f860ac74d476aee2aeb850a5f4130ca12c6c8110e8c4621aca9
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
e6a014e15fe4e4c4a58e1e6d6fe607916135b6377d5f9382ceac482d5b208fc6
3ed0cd277bc278432fd6f49b58fe25e87e7e9053c714216ebd7f5308206793b2
3f1e3e41c78f34a4012539afc1fa37eb88d12de49f12d688f40d86c8f4bbfe06
123605f3e22a46522073d25da4f58b5fbfc8cef2417dd0a95d00d85db096ee38
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
4b63632d26f9c84bc2d934295c3d5fb996ed26bd4abc79370e565ddfcdcc295a
2169030b4a49e4e7a7f395f85af8ce4350aa32995bde33d996fb85a867147177
6e57d1fc4d14e7e7c2216085e41c393c9f117b0b5f8ce639ac78795d18dba730
614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371
6f926dba86af8a16354de93668c5161973c5b62cbbf803997acd068eaea16648
6493f6d36fb844867be34f38d1ffa028c633c7c3c2434796342eff318f0d5683
Domains
leadsoftware.top
wprogs.top
cp5ua.hyperhost.ua
stompantz.xyz
asdasd08.xyz
asdasd08.com
scgsdstat14tp.xyz
gmstar23.xyz
yan0212.net
yan0212.com
mail.telefoonreparatiebovenkarspel.nl
localhost.exchange
mail.zoomfilms-cz.com
r0ck3t.ru
zl0yy.ru
payload.su
sdadvert197.com
mexstat128.com
gamelom20.com
advert127ds.xyz
Last Seen at

Recent blog posts

post image
New PowerShell Script Tracer: Analyze PowerSh...
watchers 458
comments 0
post image
Dmitry Marinov: ANY.RUN’s CTO on TI Lookup, S...
watchers 277
comments 0
post image
Malware Trends Report: Q1, 2024
watchers 1843
comments 0

What is SystemBC malware

SystemBC is a Remote Access Trojan (RAT), discovered by ProofPoint in 2019. As soon as it got on the radar of security specialists, they began to notice its use in a number of parallel ransomware campaigns, which is typical for malware sold on underground forums. And the hypothesis was quickly validated: researchers found an ad promoting a malware called “socks5 backconnect system,” which matched the functionality of SystemBC almost to a tee.

Purchasers would receive an archive containing the bot executable, the C2 server executable, and a basic admin panel written in PHP.

This malware’s main function at the time was concealing the communication with the Command and Control server. Once the RAT made its way into the victim's system, it began the execution process by creating a hidden and encrypted communication channel with the attacker's C2 server. This communication channel then allowed the attacker to remotely control the infected machine and perform a variety of actions: uploading and downloading files, executing commands, and disabling security software.

Originally, the malware would establish a connection using SOCKS5 proxies, but in later iterations that was changed to the Tor network. Afterwards, attackers replaced the TOR network with hard-coded addresses over IPV4 TCP, using non-standard ports.

Its ability to hide malicious traffic has made this RAT extremely popular among ransomware gangs. Among other things, SystemBC was used in the DarkSide attack on the American Colonial Pipeline. It also featured in countless Ransomware-as-a-Service (RaaS) attacks, including those with Ryuk and Egregor.

Over the lifetime of this malware, its creators have released a multitude of versions into the wild, gradually improving the RAT’s capabilities and expanding its use cases. And the evolution of this threat shows no signs of slowing down, with new and modified versions appearing constantly.

To make life easier, researchers broadly divide versions into two categories:

Type one combines malware which is able to update itself, but nothing more. These are the earlier variants of the program, which mostly date back to 2019 and 2020. They can perform the following actions:

  • Self-update
  • Proxy traffic, typically using SOCKS5 proxies

Type two includes later iterations of SystemBC. And there really are a lot of them — some are functionally quite different from the others. On top of the capability of the first type, they can also:

  • Proxy traffic through the TOR network and IPV4 TCP ports
  • Load and execute Batch and VBS scripts
  • Execute Windows commands
  • Install malware in the form of a DLL to run in memory

And in 2022, researchers also discovered a PowerShell SystemBC variant.

How to get more information from SystemBC malware

Track SystemBC’s execution process in the process graph in ANY.RUN interactive online sandbox.

The process graph of SystemBC malware Figure 1: The process graph of SystemBC malware

In ANY.RUN, users can access detailed malware configuration data in about 10 seconds after launching the sandbox, without having to wait for the emulation to end running. Check this SystemBC sample for analysis.

SystemBC execution process

Execution process of SystemBC depends on the version of it, but always pretty straightforward. In general, after infection, it connects to C2 for further commands. Latest versions may download files or make proxies from infected PC. In our case main executable file use Scheduled Task/Job: Scheduled Task (T1053.005) technique to run itself with generated name. Config of this malware is short and only have one or a couple of IP addresses or domain to which it will try to connect. Malware also encrypts its traffic.

The network stream of SystemBC malware Figure 2: The network stream of SystemBC malware

Distribution of SystemBC

SystemBC was originally distributed using RIG and Fallout exploit kits. But now it’s typically dropped by other malware strains, which in turn make their way into machines as malicious attachments in spam email campaigns, or when users download pirated software.

Here are a few malware families that were spotted spreading this RAT:

Interestingly, while these malicious programs can drop SystemBC on machines they infect, sometimes that behavior is inverted. For example, SystemBC sometimes infects compromised machines with CobaltStrike.

Conclusion

SystemBC is a peculiar malware and its use cases are almost as varied as its variants. It is frequently found in powerful ransomware attacks, is used to gain a foothold in networks in conjunction with CobaltStrike, and can drop a range of post-exploitation tools.

This is one to keep an eye on. If the sheer number of SystemBC versions means anything, it is that the developers will keep advancing its capabilities, making it more and more dangerous. And the possible connection with hard-hitting ransomware gangs means that we will likely see it again used in sophisticated, targeted attacks.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy