SystemBC (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.systembc (Back to overview)

SystemBC

aka: Coroxy, DroxiDat

Actor(s): Vanilla Tempest

VTCollection

SystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.

References

2025-09-18 ⋅ Lumen ⋅ Black Lotus Labs
SystemBC – Bringing the Noise
SystemBC SystemBC

2025-07-18 ⋅ Arctic Wolf ⋅ Arctic Wolf Labs Team
Greedy Sponge Targets Mexico with AllaKore RAT and SystemBC
AllaKore SystemBC

2025-04-24 ⋅ Mandiant ⋅ Mandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC Pink Sandstorm

2025-01-27 ⋅ The DFIR Report ⋅ MittenSec, MyDFIR, r3nzsec
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
GhostSocks LockBit SystemBC

2024-12-04 ⋅ Rapid7 ⋅ Tyler McGraw
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Black Basta Cobalt Strike DarkGate SystemBC Zloader

2024-08-26 ⋅ The DFIR Report ⋅ The DFIR Report
BlackSuit Ransomware
BlackSuit Cobalt Strike SystemBC

2024-08-12 ⋅ Rapid7 ⋅ Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC

2024-07-29 ⋅ Mandiant ⋅ Ashley Pearson, Jake Nicastro, Joseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong
UNC4393 Goes Gently into the SILENTNIGHT
Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393

2024-05-30 ⋅ Europol ⋅ Europol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot

2024-05-15 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot SystemBC

2024-01-19 ⋅ Kroll ⋅ David Truman
Inside the SYSTEMBC Command-and-Control Server
SystemBC

2023-11-12 ⋅ Github (vc0RExor) ⋅ Aaron Jornet
The Swiss Knife: SystemBC | Coroxy
SystemBC

2023-10-12 ⋅ YouTube (FIRST) ⋅ Aditya K. Sood
"Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems
Loki RAT SystemBC

2023-09-12 ⋅ FIRSTCON ⋅ Aditya K. Sood
Compromising the Keys to the Kingdom: Exfiltrating Data to Own and Operate the Exploited Systems (Slides)
Loki RAT SystemBC

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-08-23 ⋅ Logpoint ⋅ Anish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC

2023-08-10 ⋅ Kaspersky ⋅ Kurt Baumgartner
Focus on DroxiDat/SystemBC
SystemBC

2023-06-28 ⋅ vmware ⋅ Bria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC

2023-06-27 ⋅ SecurityIntelligence ⋅ Charlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot

2023-06-22 ⋅ Reliaquest ⋅ Caroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC

2023-05-15 ⋅ CrowdStrike ⋅ CrowdStrike
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC

2023-04-19 ⋅ Symantec ⋅ Threat Hunter Team
Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-03-30 ⋅ eSentire ⋅ eSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar

2023-02-14 ⋅ Cybereason ⋅ Cybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC

2023-02-09 ⋅ cyber.wtf blog ⋅ Hendrik Eckardt
Defeating VMProtect’s Latest Tricks
SystemBC

2023-01-23 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC

2023-01-16 ⋅ Intrinsec ⋅ Intrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC

2022-10-28 ⋅ velociraptor ⋅ Matt Green
Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor
SystemBC

2022-10-10 ⋅ RiskIQ ⋅ Microsoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin

2022-09-21 ⋅ BitSight ⋅ João Batista
SystemBC: The Multipurpose Proxy Bot Still Breathes
SystemBC

2022-09-06 ⋅ CISA ⋅ CISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin

2022-08-30 ⋅ Cisco ⋅ Vanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC

2022-06-01 ⋅ Elastic ⋅ Andrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC

2022-05-24 ⋅ BitSight ⋅ BitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-12 ⋅ AhnLab ⋅ ASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC

2022-03-04 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
SystemBC, PowerShell version
SystemBC

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-06-07 ⋅ Medium walmartglobaltech ⋅ Jason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot

2021-05-19 ⋅ Intel 471 ⋅ Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot

2021-05-10 ⋅ F-Secure ⋅ Callum Roxan, Sami Ruohonen
Prelude to Ransomware: SystemBC
SystemBC

2021-04-21 ⋅ SophosLabs Uncut ⋅ Anand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC

2021-04-01 ⋅ Reversing Labs ⋅ Robert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC

2021-02-25 ⋅ FireEye ⋅ Brendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC

2021-02-03 ⋅ InfoSec Handlers Diary Blog ⋅ Brad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC

2020-12-16 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Sivagnanam Gn
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC

2019-07-31 ⋅ Proofpoint ⋅ Dennis Schwarz, Kade Harmon, Kafeine, Proofpoint Threat Insight Team
SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC

Yara Rules

[TLP:WHITE] win_systembc_auto (20251219 | Detects win.systembc.)

rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b000 ae 75fd 8a57fe }
            // n = 4, score = 1200
            //   b000                 | mov                 al, 0
            //   ae                   | scasb               al, byte ptr es:[edi]
            //   75fd                 | jne                 0xffffffff
            //   8a57fe               | mov                 dl, byte ptr [edi - 2]

        $sequence_1 = { 8b7d0c 8b4d10 f3a4 5e }
            // n = 4, score = 1100
            //   8b7d0c               | dec                 eax
            //   8b4d10               | mov                 eax, dword ptr [ebp - 0x68]
            //   f3a4                 | dec                 eax
            //   5e                   | add                 eax, 0x1c

        $sequence_2 = { 33c0 ab 837d0c00 7403 ff47fc }
            // n = 5, score = 1100
            //   33c0                 | mov                 dl, byte ptr [edi - 2]
            //   ab                   | cmp                 dl, 0x39
            //   837d0c00             | xor                 byte ptr [edi], al
            //   7403                 | dec                 ecx
            //   ff47fc               | cmp                 dword ptr [ebp + 0xc], -2

        $sequence_3 = { e8???????? 8d5804 6a18 e8???????? 83c061 aa }
            // n = 6, score = 1100
            //   e8????????           |                     
            //   8d5804               | dec                 esp
            //   6a18                 | mov                 eax, eax
            //   e8????????           |                     
            //   83c061               | dec                 ecx
            //   aa                   | mov                 ecx, 0

        $sequence_4 = { 57 56 ff7508 e8???????? 8bd0 }
            // n = 5, score = 1100
            //   57                   | dec                 eax
            //   56                   | mov                 ecx, dword ptr [ebp - 0x6b8]
            //   ff7508               | dec                 ecx
            //   e8????????           |                     
            //   8bd0                 | lea                 edx, [eax + edi]

        $sequence_5 = { 66837aff00 7502 eb2e 837d0cff 7518 837d1000 }
            // n = 6, score = 1100
            //   66837aff00           | dec                 eax
            //   7502                 | mov                 ecx, 0
            //   eb2e                 | dec                 eax
            //   837d0cff             | mov                 edx, 0x10000
            //   7518                 | jb                  0x25
            //   837d1000             | dec                 eax

        $sequence_6 = { c7049e00000000 b800000000 5e 5f 5b }
            // n = 5, score = 1100
            //   c7049e00000000       | dec                 eax
            //   b800000000           | sub                 esp, 0x20
            //   5e                   | jne                 0x194
            //   5f                   | dec                 eax
            //   5b                   | sub                 esp, 0x20

        $sequence_7 = { 8b4514 ab 8b4518 ab b801000000 }
            // n = 5, score = 1100
            //   8b4514               | mov                 word ptr [edi + 0x4e], 1
            //   ab                   | mov                 byte ptr [edi + 0x51], 1
            //   8b4518               | mov                 byte ptr [edi + 0x7b], 0
            //   ab                   | dec                 eax
            //   b801000000           | sub                 esp, 0x40

        $sequence_8 = { 6a01 6a00 8b85bcfbffff 8b08 8b5118 50 }
            // n = 6, score = 1100
            //   6a01                 | dec                 esp
            //   6a00                 | lea                 eax, [edi + 0x4e]
            //   8b85bcfbffff         | dec                 ecx
            //   8b08                 | mov                 ecx, 0x32
            //   8b5118               | dec                 eax
            //   50                   | add                 esp, 0x20

        $sequence_9 = { c68573ffffff05 c68574ffffff01 c68575ffffff00 c68576ffffff01 48c78510ffffff01000000 }
            // n = 5, score = 200
            //   c68573ffffff05       | dec                 eax
            //   c68574ffffff01       | lea                 ecx, [esi + 0x188]
            //   c68575ffffff00       | dec                 eax
            //   c68576ffffff01       | lea                 edx, [ebp - 0x50]
            //   48c78510ffffff01000000     | mov    byte ptr [ebp - 0x8d], 5

        $sequence_10 = { 4883c420 66c7474e0100 c6475101 c6477b00 4883ec40 }
            // n = 5, score = 200
            //   4883c420             | dec                 eax
            //   66c7474e0100         | mov                 dword ptr [ebp - 0xf0], 1
            //   c6475101             | dec                 ecx
            //   c6477b00             | mov                 eax, 0xfffa
            //   4883ec40             | dec                 ecx

        $sequence_11 = { 0f858e010000 4883ec20 48c7c100000000 48c7c200000100 }
            // n = 4, score = 200
            //   0f858e010000         | dec                 eax
            //   4883ec20             | mov                 ecx, dword ptr [ebp - 0x6b8]
            //   48c7c100000000       | dec                 ecx
            //   48c7c200000100       | lea                 edx, [eax + edi]

        $sequence_12 = { 49c7c0faff0000 49c7c100000000 ff15???????? 4883c420 }
            // n = 4, score = 200
            //   49c7c0faff0000       | mov                 byte ptr [ebp - 0x8c], 1
            //   49c7c100000000       | mov                 byte ptr [ebp - 0x8b], 0
            //   ff15????????         |                     
            //   4883c420             | mov                 byte ptr [ebp - 0x8a], 1

        $sequence_13 = { e8???????? 4883c420 4883ec20 488d8e88010000 488d55b0 }
            // n = 5, score = 200
            //   e8????????           |                     
            //   4883c420             | dec                 eax
            //   4883ec20             | add                 esp, 0x20
            //   488d8e88010000       | dec                 eax
            //   488d55b0             | sub                 esp, 0x20

        $sequence_14 = { 4c8d474e 49c7c132000000 e8???????? 4883c420 488b4598 4883c01c 4883ec20 }
            // n = 7, score = 200
            //   4c8d474e             | add                 esp, 0x20
            //   49c7c132000000       | mov                 word ptr [edi + 0x4e], 1
            //   e8????????           |                     
            //   4883c420             | mov                 byte ptr [edi + 0x51], 1
            //   488b4598             | mov                 byte ptr [edi + 0x7b], 0
            //   4883c01c             | dec                 eax
            //   4883ec20             | sub                 esp, 0x40

        $sequence_15 = { 488b8d48f9ffff 498d1438 4c8bc0 49c7c100000000 }
            // n = 4, score = 200
            //   488b8d48f9ffff       | mov                 ecx, 0
            //   498d1438             | dec                 eax
            //   4c8bc0               | add                 esp, 0x20
            //   49c7c100000000       | dec                 eax

    condition:
        7 of them and filesize < 75776
}

Download all Yara Rules

SystemBC Propose Change

References

Yara Rules

SystemBC