SystemBC (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.systembc (Back to overview)

SystemBC

aka: Coroxy, DroxiDat

VTCollection

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References

2024-08-26 ⋅ The DFIR Report ⋅ The DFIR Report
BlackSuit Ransomware
BlackSuit Cobalt Strike SystemBC

2024-07-29 ⋅ Mandiant ⋅ Ashley Pearson, Jake Nicastro, Joseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong
UNC4393 Goes Gently into the SILENTNIGHT
Black Basta QakBot sRDI SystemBC Zloader UNC4393

2024-05-30 ⋅ Europol ⋅ Europol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot

2024-01-19 ⋅ Kroll ⋅ David Truman
Inside the SYSTEMBC Command-and-Control Server
SystemBC

2023-11-12 ⋅ Github (vc0RExor) ⋅ Aaron Jornet
The Swiss Knife: SystemBC | Coroxy
SystemBC

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC

2023-08-10 ⋅ Kaspersky ⋅ Kurt Baumgartner
Focus on DroxiDat/SystemBC
SystemBC

2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-06-22 ⋅ Reliaquest ⋅ Caroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC

2023-05-15 ⋅ CrowdStrike ⋅ CrowdStrike
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC

2023-04-19 ⋅ Symantec ⋅ Threat Hunter Team
Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-30 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar

2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC

2023-02-09 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt
Defeating VMProtect’s Latest Tricks
SystemBC

2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2023-01-16 ⋅ Intrinsec ⋅ Intrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC

2022-10-28 ⋅ velociraptor ⋅ Matt Green
Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor
SystemBC

2022-10-10 ⋅ RiskIQ ⋅ Microsoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin

2022-09-21 ⋅ BitSight ⋅ João Batista
SystemBC: The Multipurpose Proxy Bot Still Breathes
SystemBC

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-08-30 ⋅ Cisco ⋅ Vanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC

2022-06-01 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-05-24 ⋅ BitSight ⋅ BitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-12 ⋅ AhnLab ⋅ ASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC

2022-03-04 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SystemBC, PowerShell version
SystemBC

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-06-07 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-10 ⋅ F-Secure ⋅ Callum Roxan, Sami Ruohonen
Prelude to Ransomware: SystemBC
SystemBC

2021-04-21 ⋅ SophosLabs Uncut ⋅ Anand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC

2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC

2020-12-16 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Sivagnanam Gn
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC

2019-07-31 ⋅ Proofpoint ⋅ Dennis Schwarz, Kade Harmon, Kafeine, Proofpoint Threat Insight Team
SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC

Yara Rules

[TLP:WHITE] win_systembc_auto (20241030 | Detects win.systembc.)

rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 53 57 56 8b7d10 }
            // n = 5, score = 1100
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_1 = { 7507 66837fff00 740d 837d1000 7409 66837aff00 7502 }
            // n = 7, score = 1100
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7409                 | je                  0xb
            //   66837aff00           | cmp                 word ptr [edx - 1], 0
            //   7502                 | jne                 4

        $sequence_2 = { 8b4d0c 837d0c00 750b ff7508 e8???????? }
            // n = 5, score = 1100
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   750b                 | jne                 0xd
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { 837d0cfe 751c 837d1000 7507 66837fff00 }
            // n = 5, score = 1100
            //   837d0cfe             | cmp                 dword ptr [ebp + 0xc], -2
            //   751c                 | jne                 0x1e
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0

        $sequence_4 = { 50 8b45f8 8b08 50 8b4178 }
            // n = 5, score = 1100
            //   50                   | push                eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax
            //   8b4178               | mov                 eax, dword ptr [ecx + 0x78]

        $sequence_5 = { 6a00 8d85fcfbffff 50 8b45f8 8b08 }
            // n = 5, score = 1100
            //   6a00                 | push                0
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   50                   | push                eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_6 = { 740d 837d1000 7409 66837aff00 7502 eb2e }
            // n = 6, score = 1100
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7409                 | je                  0xb
            //   66837aff00           | cmp                 word ptr [edx - 1], 0
            //   7502                 | jne                 4
            //   eb2e                 | jmp                 0x30

        $sequence_7 = { 837d0cfe 751c 837d1000 7507 66837fff00 740d 837d1000 }
            // n = 7, score = 1100
            //   837d0cfe             | cmp                 dword ptr [ebp + 0xc], -2
            //   751c                 | jne                 0x1e
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_8 = { c9 c21400 55 8bec 53 57 56 }
            // n = 7, score = 1100
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_9 = { 8b450c ab 8b4514 ab }
            // n = 4, score = 1100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 75776
}

Download all Yara Rules

SystemBC Propose Change

References

Yara Rules

SystemBC