SystemBC

59
Global rank
21
Month rank
21
Week rank
292
IOCs

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

RAT
Type
Origin
1 August, 2019
First seen
22 September, 2023
Last seen
Also known as
Coroxy
Socks5 backconnect system

How to analyze SystemBC with ANY.RUN

RAT
Type
Origin
1 August, 2019
First seen
22 September, 2023
Last seen

IOCs

IP addresses
69.46.15.147
104.217.8.100
185.215.113.105
172.93.179.28
23.95.44.228
148.251.236.201
45.86.162.219
173.254.204.89
69.49.231.218
89.248.163.188
193.106.191.168
146.70.53.169
5.79.124.201
65.21.119.52
141.98.82.229
109.205.214.18
185.198.56.2
89.203.249.203
89.22.225.242
195.2.93.22
Hashes
21ece0ad8b38f4dc72dde054c9f5677bfc8e117d770a937d379fb0556078bb26
a809d7c791aa2a091554cae7ec1ef8321a2a818c134ec81fb2b53ca2cff7aa34
cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5
c88b284bac8cd639861c6f364808fac2594f0069208e756d2f66f943a23e3022
71c37b1d53f487f7b8c025ab8b3aca6635e3d1555b5961a5c9b56bbbeca9888f
8ff416db5447cbcb7da7a2c10b20e3ec47f315fa15184979ea86c4e7e039a4c2
8425ae333ccb3d734a5f33136a2102d5bfde0e96fa438ca9aba8425cc17a1bf4
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0
a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372
7d752858a3e0f3f96cb0402c9daf0b39fd56e39f52f986a2cbe39872b258d35f
665bcb7f7601b49961474f6f30495a18cdf3758e3b171874eb48190397b713a9
3ed0cd277bc278432fd6f49b58fe25e87e7e9053c714216ebd7f5308206793b2
a88e83c3544557bf4b5e520f0e52e7a87a735b90fd849964b90a0e3cc66a357c
0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557
f60c5bd28f90230921cb1064646f7c2313c991cc32156744cbb5b6a561b94e59
d9cd94b48ccedbd006ec0c6c3d24f0fe18fa60d7a20f90408acbc3617d37126b
a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de
66b27059ba8fcb7e8fd04f8f53296dc317478e243ad29b2020600d7deb2aa94a
501ca31e41bf6984e2e70c9d246262e23813d28a35853fcbaad3e51edc7a3014
e67edf2084f6eb6a63c54fe115d2c127d99332b16adcacf0db6de3cfb2584cec
Domains
sdadvert197.com
mexstat128.com
localhost.exchange
gamelom20.com
adxspace147.xyz
advert127ds.xyz
winstationsocks.xyz
winstationsocks.com
gentexman37.xyz
advertrex20.xyz
dec15coma.xyz
dec15coma.com
reserve-domain.com
scserv2.info
scserv1.info
podisong.su
rupertok.su
26asdcgd.xyz
26asdcgd.com
reverse11.com
Last Seen at

Recent blog posts

Malware Analysis for Keeping Up with the Late...
watchers 465
comments 0
ChatGPT-powered Malware Analysis: Review Sand...
watchers 2477
comments 2
How to Hire the Right Malware Analyst for You...
watchers 664
comments 0

What is SystemBC malware

SystemBC is a Remote Access Trojan (RAT), discovered by ProofPoint in 2019. As soon as it got on the radar of security specialists, they began to notice its use in a number of parallel ransomware campaigns, which is typical for malware sold on underground forums. And the hypothesis was quickly validated: researchers found an ad promoting a malware called “socks5 backconnect system,” which matched the functionality of SystemBC almost to a tee.

Purchasers would receive an archive containing the bot executable, the C2 server executable, and a basic admin panel written in PHP.

This malware’s main function at the time was concealing the communication with the Command and Control server. Once the RAT made its way into the victim's system, it began the execution process by creating a hidden and encrypted communication channel with the attacker's C2 server. This communication channel then allowed the attacker to remotely control the infected machine and perform a variety of actions: uploading and downloading files, executing commands, and disabling security software.

Originally, the malware would establish a connection using SOCKS5 proxies, but in later iterations that was changed to the Tor network. Afterwards, attackers replaced the TOR network with hard-coded addresses over IPV4 TCP, using non-standard ports.

Its ability to hide malicious traffic has made this RAT extremely popular among ransomware gangs. Among other things, SystemBC was used in the DarkSide attack on the American Colonial Pipeline. It also featured in countless Ransomware-as-a-Service (RaaS) attacks, including those with Ryuk and Egregor.

Over the lifetime of this malware, its creators have released a multitude of versions into the wild, gradually improving the RAT’s capabilities and expanding its use cases. And the evolution of this threat shows no signs of slowing down, with new and modified versions appearing constantly.

To make life easier, researchers broadly divide versions into two categories:

Type one combines malware which is able to update itself, but nothing more. These are the earlier variants of the program, which mostly date back to 2019 and 2020. They can perform the following actions:

  • Self-update
  • Proxy traffic, typically using SOCKS5 proxies

Type two includes later iterations of SystemBC. And there really are a lot of them — some are functionally quite different from the others. On top of the capability of the first type, they can also:

  • Proxy traffic through the TOR network and IPV4 TCP ports
  • Load and execute Batch and VBS scripts
  • Execute Windows commands
  • Install malware in the form of a DLL to run in memory

And in 2022, researchers also discovered a PowerShell SystemBC variant.

How to get more information from SystemBC malware

Track SystemBC’s execution process in the process graph in ANY.RUN interactive online sandbox.

The process graph of SystemBC malware Figure 1: The process graph of SystemBC malware

In ANY.RUN, users can access detailed malware configuration data in about 10 seconds after launching the sandbox, without having to wait for the emulation to end running. Check this SystemBC sample for analysis.

SystemBC execution process

Execution process of SystemBC depends on the version of it, but always pretty straightforward. In general, after infection, it connects to C2 for further commands. Latest versions may download files or make proxies from infected PC. In our case main executable file use Scheduled Task/Job: Scheduled Task (T1053.005) technique to run itself with generated name. Config of this malware is short and only have one or a couple of IP addresses or domain to which it will try to connect. Malware also encrypts its traffic.

The network stream of SystemBC malware Figure 2: The network stream of SystemBC malware

Distribution of SystemBC

SystemBC was originally distributed using RIG and Fallout exploit kits. But now it’s typically dropped by other malware strains, which in turn make their way into machines as malicious attachments in spam email campaigns, or when users download pirated software.

Here are a few malware families that were spotted spreading this RAT:

Interestingly, while these malicious programs can drop SystemBC on machines they infect, sometimes that behavior is inverted. For example, SystemBC sometimes infects compromised machines with CobaltStrike.

Conclusion

SystemBC is a peculiar malware and its use cases are almost as varied as its variants. It is frequently found in powerful ransomware attacks, is used to gain a foothold in networks in conjunction with CobaltStrike, and can drop a range of post-exploitation tools.

This is one to keep an eye on. If the sheer number of SystemBC versions means anything, it is that the developers will keep advancing its capabilities, making it more and more dangerous. And the possible connection with hard-hitting ransomware gangs means that we will likely see it again used in sophisticated, targeted attacks.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy