Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

SystemBC

84
Global rank
84 infographic chevron month
Month rank
73
Week rank
0
IOCs

SystemBC is a Remote Access Trojan (RAT) that can hide communication with the Command and Control server, and deposit other malware strains.

RAT
Type
Origin
1 August, 2019
First seen
7 September, 2025
Last seen
Also known as
Coroxy
Socks5 backconnect system

How to analyze SystemBC with ANY.RUN

RAT
Type
Origin
1 August, 2019
First seen
7 September, 2025
Last seen

IOCs

IP addresses
45.138.48.20
78.141.245.87
162.252.175.190
5.135.247.111
199.192.29.149
192.64.119.142
5.61.33.200
179.60.149.209
67.217.228.55
162.33.179.247
142.11.199.35
64.95.10.209
64.52.80.62
109.234.39.169
89.248.163.188
188.127.224.46
89.248.163.218
194.58.112.174
45.32.210.151
5.255.103.142
Domains
cupertujo.com
siperasul.com
mx-terrasabvia.com
flapawer.com
cleanmades.com
logisticasmata.com
mepunico.com
pachisuave.com
elitesubmissions.com
glossovers.com
manzisuape.com
chuacheneguer.com
trenipono.com
kalichepa.com
masamadreartesanal.com
tlelmeuas.com
pasaaportes-citas-srre-gob.com
metritono.com
inmobiliariaarte.com
idaculipa.com
Last Seen at

Recent blog posts

post image
Release Notes: Fresh Connectors, SDK Update,...
watchers 476
comments 0
post image
Streamline Your SOC: All-in-One Threat Detect...
watchers 1165
comments 0
post image
MSSP Growth Guide: Scaling Threat Detection f...
watchers 1123
comments 0

What is SystemBC malware

SystemBC is a Remote Access Trojan (RAT), discovered by ProofPoint in 2019. As soon as it got on the radar of security specialists, they began to notice its use in a number of parallel ransomware campaigns, which is typical for malware sold on underground forums. And the hypothesis was quickly validated: researchers found an ad promoting a malware called “socks5 backconnect system,” which matched the functionality of SystemBC almost to a tee.

Purchasers would receive an archive containing the bot executable, the C2 server executable, and a basic admin panel written in PHP.

This malware’s main function at the time was concealing the communication with the Command and Control server. Once the RAT made its way into the victim's system, it began the execution process by creating a hidden and encrypted communication channel with the attacker's C2 server. This communication channel then allowed the attacker to remotely control the infected machine and perform a variety of actions: uploading and downloading files, executing commands, and disabling security software.

Originally, the malware would establish a connection using SOCKS5 proxies, but in later iterations that was changed to the Tor network. Afterwards, attackers replaced the TOR network with hard-coded addresses over IPV4 TCP, using non-standard ports.

Its ability to hide malicious traffic has made this RAT extremely popular among ransomware gangs. Among other things, SystemBC was used in the DarkSide attack on the American Colonial Pipeline. It also featured in countless Ransomware-as-a-Service (RaaS) attacks, including those with Ryuk and Egregor.

Over the lifetime of this malware, its creators have released a multitude of versions into the wild, gradually improving the RAT’s capabilities and expanding its use cases. And the evolution of this threat shows no signs of slowing down, with new and modified versions appearing constantly.

To make life easier, researchers broadly divide versions into two categories:

Type one combines malware which is able to update itself, but nothing more. These are the earlier variants of the program, which mostly date back to 2019 and 2020. They can perform the following actions:

  • Self-update
  • Proxy traffic, typically using SOCKS5 proxies

Type two includes later iterations of SystemBC. And there really are a lot of them — some are functionally quite different from the others. On top of the capability of the first type, they can also:

  • Proxy traffic through the TOR network and IPV4 TCP ports
  • Load and execute Batch and VBS scripts
  • Execute Windows commands
  • Install malware in the form of a DLL to run in memory

And in 2022, researchers also discovered a PowerShell SystemBC variant.

How to get more information from SystemBC malware

Track SystemBC’s execution process in the process graph in ANY.RUN interactive online sandbox.

The process graph of SystemBC malware Figure 1: The process graph of SystemBC malware

In ANY.RUN, users can access detailed malware configuration data in about 10 seconds after launching the sandbox, without having to wait for the emulation to end running. Check this SystemBC sample for analysis.

SystemBC execution process

Execution process of SystemBC depends on the version of it, but always pretty straightforward. In general, after infection, it connects to C2 for further commands. Latest versions may download files or make proxies from infected PC. In our case main executable file use Scheduled Task/Job: Scheduled Task (T1053.005) technique to run itself with generated name. Config of this malware is short and only have one or a couple of IP addresses or domain to which it will try to connect. Malware also encrypts its traffic.

The network stream of SystemBC malware Figure 2: The network stream of SystemBC malware

Distribution of SystemBC

SystemBC was originally distributed using RIG and Fallout exploit kits. But now it’s typically dropped by other malware strains, which in turn make their way into machines as malicious attachments in spam email campaigns, or when users download pirated software.

Here are a few malware families that were spotted spreading this RAT:

Interestingly, while these malicious programs can drop SystemBC on machines they infect, sometimes that behavior is inverted. For example, SystemBC sometimes infects compromised machines with CobaltStrike.

Conclusion

SystemBC is a peculiar malware and its use cases are almost as varied as its variants. It is frequently found in powerful ransomware attacks, is used to gain a foothold in networks in conjunction with CobaltStrike, and can drop a range of post-exploitation tools.

This is one to keep an eye on. If the sheer number of SystemBC versions means anything, it is that the developers will keep advancing its capabilities, making it more and more dangerous. And the possible connection with hard-hitting ransomware gangs means that we will likely see it again used in sophisticated, targeted attacks.

HAVE A LOOK AT

Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Interlock screenshot
Interlock
interlock
Interlock is a relatively recent entrant into the ransomware landscape. First identified in 2023, it's a multi-functional malware strain used in ransomware-as-a-service (RaaS) operations.
Read More
StrelaStealer screenshot
StrelaStealer
strela
StrelaStealer is a malware that targets email clients to steal login credentials, sending them back to the attacker’s command-and-control server. Since its emergence in 2022, it has been involved in numerous large-scale email campaigns, primarily affecting organizations in the EU and U.S. The malware’s tactics continue to evolve, with attackers frequently changing attachment file formats and updating the DLL payload to evade detection.
Read More
XRed screenshot
XRed
xred
XRed operates as a stealthy backdoor, enabling cybercriminals to gain unauthorized remote access to infected systems. XRed has gained particular notoriety for its distribution through trojanized legitimate software and hardware drivers, making it exceptionally dangerous due to its ability to masquerade as trusted applications.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
BlackMoon screenshot
BlackMoon
blackmoon
BlackMoon also known as KrBanker is a trojan aimed at stealing payment credentials. It specializes in man-in-the-browser (MitB) attacks, web injection, and credential theft to compromise users' online banking accounts. It was first noticed in early 2014 attacking banks in South Korea and has impressively evolved since by adding a number of new infiltration techniques and information stealing methods.
Read More