BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

SystemBC

62
Global rank
67 infographic chevron month
Month rank
66 infographic chevron week
Week rank
973
IOCs

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

RAT
Type
Origin
1 August, 2019
First seen
12 July, 2024
Last seen
Also known as
Coroxy
Socks5 backconnect system

How to analyze SystemBC with ANY.RUN

RAT
Type
Origin
1 August, 2019
First seen
12 July, 2024
Last seen

IOCs

IP addresses
45.138.48.20
78.141.245.87
5.45.127.115
162.252.175.190
194.195.121.133
5.135.247.111
199.192.29.149
192.64.119.142
104.223.88.101
5.61.33.200
46.30.42.17
77.91.77.81
109.234.39.169
185.43.220.45
2.57.149.230
188.127.224.46
4.184.236.127
5.45.73.25
5.42.65.67
199.59.243.225
Hashes
e551275aa089805c48ec1734d3d4ecd03997663e58892323bf174f0b7eb52504
0e7afdde1b155c01748b9482fe5754582ab43bc2b62dc500c2704c03eeb3d4ab
d98e812ed83dbbe1b772fd7cec1de06916ad32b8252da527ea52f6b521243200
873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376
a940860824f36cf031250e13df9844792138eb3d9fb09b7c215fa85a5b2b9368
4eceaf21c15e9755c7ea6dae9613bebe2462f4e85322a8e7d521e277e8bb1f13
ff3caf5e00ab01fae69ea84cc2e6f7ca9e4e39224201523b4a2e9b657dc11228
3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e
eeb8217497335d34e46a7f419186c3669321bf5336697dab1432d00d137f62b1
8a5245a58822d14b6d8ae92b375d5a7bfc3d843ad223861ab0057cad05979a3c
9667c3a224a4ccbf6975b292a2fdeb3025babae035f58e468b9c9c800188969b
6cab23262c6b7e07f2f240d85e6d8fee01bd0b1feed26690c465eefb81e44556
2ba6201e973a0e7c94442619ea006e2e538a117d4c99a986e40ef7c38c296836
7fbe59195f5f6f45c8b38b12488a169fdcb3a272004dbaf44c9d92a60a3690cb
4246b1740af95e953c8010a6d99c0ab72622b892bc1dbb955eec4067d90d7763
4aec64f64812b8ed41eebe2d561d166b6dc9c16f2a856f7d10408ec83f493c06
4ba198c54eb157e1ec0b515c241d7c306d58ef915ab8b24339ace5e00b1a348a
c15abaf28e4454ae030282ae45244c273021bcb73f84c41db6d8cb654810ce2c
3b7160f364611d376b87036ee90521442e9ded0add1c219ce9456c4e504b406c
b79b20c44857f5d00ebc2e4be8226a7f23460a25eaad85023127af6a09c48980
Domains
admex1955x.xyz
data.servicestatus.one
unsubscribelist.click
cobusabobus.cam
annaweber.fun
sdkfjjkfasdjfiu435dzz.cc
nftday.art
qtrader.club
e6rldxwjc4jeb72c.onion
backconnect.org
clwtumberaero.cyou
dexblog90.club
mmasl.com
calacs-laurentides.com
mdadvertx17.xyz
adxspace147.xyz
rupertok.su
spacestat7.xyz
advertserv7.world
hcwakentent.com
Last Seen at

Recent blog posts

post image
What Are the 3 Types of Threat Intelligence D...
watchers 149
comments 0
post image
Expert Q&A: Aaron Fillmore on his Cyberse...
watchers 161
comments 0
post image
Malware Trends Report: Q2, 2024 
watchers 1630
comments 0

What is SystemBC malware

SystemBC is a Remote Access Trojan (RAT), discovered by ProofPoint in 2019. As soon as it got on the radar of security specialists, they began to notice its use in a number of parallel ransomware campaigns, which is typical for malware sold on underground forums. And the hypothesis was quickly validated: researchers found an ad promoting a malware called “socks5 backconnect system,” which matched the functionality of SystemBC almost to a tee.

Purchasers would receive an archive containing the bot executable, the C2 server executable, and a basic admin panel written in PHP.

This malware’s main function at the time was concealing the communication with the Command and Control server. Once the RAT made its way into the victim's system, it began the execution process by creating a hidden and encrypted communication channel with the attacker's C2 server. This communication channel then allowed the attacker to remotely control the infected machine and perform a variety of actions: uploading and downloading files, executing commands, and disabling security software.

Originally, the malware would establish a connection using SOCKS5 proxies, but in later iterations that was changed to the Tor network. Afterwards, attackers replaced the TOR network with hard-coded addresses over IPV4 TCP, using non-standard ports.

Its ability to hide malicious traffic has made this RAT extremely popular among ransomware gangs. Among other things, SystemBC was used in the DarkSide attack on the American Colonial Pipeline. It also featured in countless Ransomware-as-a-Service (RaaS) attacks, including those with Ryuk and Egregor.

Over the lifetime of this malware, its creators have released a multitude of versions into the wild, gradually improving the RAT’s capabilities and expanding its use cases. And the evolution of this threat shows no signs of slowing down, with new and modified versions appearing constantly.

To make life easier, researchers broadly divide versions into two categories:

Type one combines malware which is able to update itself, but nothing more. These are the earlier variants of the program, which mostly date back to 2019 and 2020. They can perform the following actions:

  • Self-update
  • Proxy traffic, typically using SOCKS5 proxies

Type two includes later iterations of SystemBC. And there really are a lot of them — some are functionally quite different from the others. On top of the capability of the first type, they can also:

  • Proxy traffic through the TOR network and IPV4 TCP ports
  • Load and execute Batch and VBS scripts
  • Execute Windows commands
  • Install malware in the form of a DLL to run in memory

And in 2022, researchers also discovered a PowerShell SystemBC variant.

How to get more information from SystemBC malware

Track SystemBC’s execution process in the process graph in ANY.RUN interactive online sandbox.

The process graph of SystemBC malware Figure 1: The process graph of SystemBC malware

In ANY.RUN, users can access detailed malware configuration data in about 10 seconds after launching the sandbox, without having to wait for the emulation to end running. Check this SystemBC sample for analysis.

SystemBC execution process

Execution process of SystemBC depends on the version of it, but always pretty straightforward. In general, after infection, it connects to C2 for further commands. Latest versions may download files or make proxies from infected PC. In our case main executable file use Scheduled Task/Job: Scheduled Task (T1053.005) technique to run itself with generated name. Config of this malware is short and only have one or a couple of IP addresses or domain to which it will try to connect. Malware also encrypts its traffic.

The network stream of SystemBC malware Figure 2: The network stream of SystemBC malware

Distribution of SystemBC

SystemBC was originally distributed using RIG and Fallout exploit kits. But now it’s typically dropped by other malware strains, which in turn make their way into machines as malicious attachments in spam email campaigns, or when users download pirated software.

Here are a few malware families that were spotted spreading this RAT:

Interestingly, while these malicious programs can drop SystemBC on machines they infect, sometimes that behavior is inverted. For example, SystemBC sometimes infects compromised machines with CobaltStrike.

Conclusion

SystemBC is a peculiar malware and its use cases are almost as varied as its variants. It is frequently found in powerful ransomware attacks, is used to gain a foothold in networks in conjunction with CobaltStrike, and can drop a range of post-exploitation tools.

This is one to keep an eye on. If the sheer number of SystemBC versions means anything, it is that the developers will keep advancing its capabilities, making it more and more dangerous. And the possible connection with hard-hitting ransomware gangs means that we will likely see it again used in sophisticated, targeted attacks.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy