SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2021-02-25FireEyeBryce Abdo, Brendan McKeague, Van Ta
@online{abdo:20210225:so:88f3400, author = {Bryce Abdo and Brendan McKeague and Van Ta}, title = {{So Unchill: Melting UNC2198 ICEDID to Ransomware Operations}}, date = {2021-02-25}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html}, language = {English}, urldate = {2021-03-02} } So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
@online{duncan:20210203:excel:8e949c9, author = {Brad Duncan}, title = {{Excel spreadsheets push SystemBC malware}}, date = {2021-02-03}, organization = {InfoSec Handlers Diary Blog}, url = {https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/}, language = {English}, urldate = {2021-02-04} } Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
@online{gallagher:20201216:ransomware:0b0fdf2, author = {Sean Gallagher and Sivagnanam Gn}, title = {{Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor}}, date = {2020-12-16}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/12/16/systembc/}, language = {English}, urldate = {2020-12-17} } Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointKade Harmon, Kafeine, Dennis Schwarz, Proofpoint Threat Insight Team
@online{harmon:20190731:systembc:d98f03c, author = {Kade Harmon and Kafeine and Dennis Schwarz and Proofpoint Threat Insight Team}, title = {{SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits}}, date = {2019-07-31}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits}, language = {English}, urldate = {2019-12-20} } SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7408 03bd1cf4ffff ebc1 2bbd20f4ffff }
            // n = 4, score = 800
            //   7408                 | je                  0xa
            //   03bd1cf4ffff         | add                 edi, dword ptr [ebp - 0xbe4]
            //   ebc1                 | jmp                 0xffffffc3
            //   2bbd20f4ffff         | sub                 edi, dword ptr [ebp - 0xbe0]

        $sequence_1 = { eb08 8b543078 8b4c307c 8955ec }
            // n = 4, score = 800
            //   eb08                 | jmp                 0xa
            //   8b543078             | mov                 edx, dword ptr [eax + esi + 0x78]
            //   8b4c307c             | mov                 ecx, dword ptr [eax + esi + 0x7c]
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx

        $sequence_2 = { 64a130000000 8b400c 8b700c 8b5810 8b36 8b7e30 33c9 }
            // n = 7, score = 800
            //   64a130000000         | mov                 eax, dword ptr fs:[0x30]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   8b36                 | mov                 esi, dword ptr [esi]
            //   8b7e30               | mov                 edi, dword ptr [esi + 0x30]
            //   33c9                 | xor                 ecx, ecx

        $sequence_3 = { 50 6805000020 ffb530f4ffff 68???????? e8???????? }
            // n = 5, score = 800
            //   50                   | push                eax
            //   6805000020           | push                0x20000005
            //   ffb530f4ffff         | push                dword ptr [ebp - 0xbd0]
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_4 = { 8bcf 8dbd68feffff f3a4 c647ff00 8d8568feffff 50 e8???????? }
            // n = 7, score = 800
            //   8bcf                 | mov                 ecx, edi
            //   8dbd68feffff         | lea                 edi, [ebp - 0x198]
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   c647ff00             | mov                 byte ptr [edi - 1], 0
            //   8d8568feffff         | lea                 eax, [ebp - 0x198]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_5 = { 68???????? 50 e8???????? ffd0 6a00 }
            // n = 5, score = 800
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a00                 | push                0

        $sequence_6 = { e8???????? ffd0 6a00 6a00 6a00 6a00 ffb530f4ffff }
            // n = 7, score = 800
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffb530f4ffff         | push                dword ptr [ebp - 0xbd0]

        $sequence_7 = { 50 ffd2 8b85bcfbffff 8b08 8b5108 50 ffd2 }
            // n = 7, score = 800
            //   50                   | push                eax
            //   ffd2                 | call                edx
            //   8b85bcfbffff         | mov                 eax, dword ptr [ebp - 0x444]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b5108               | mov                 edx, dword ptr [ecx + 8]
            //   50                   | push                eax
            //   ffd2                 | call                edx

        $sequence_8 = { 55 8bec 53 57 56 ff7508 }
            // n = 6, score = 800
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_9 = { 8b45f8 8b08 8b9180000000 50 }
            // n = 4, score = 800
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   8b9180000000         | mov                 edx, dword ptr [ecx + 0x80]
            //   50                   | push                eax

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules