SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC

aka: Coroxy, DroxiDat

Actor(s): Vanilla Tempest

VTCollection    

SystemBC is a multiplatform proxy malware active since August 2019. It creates SOCKS5 network tunnels in the victim’s network and connects to its C2 server using a custom, RC4-encrypted protocol. It can also download and execute additional malware, with payloads either written to disk or mapped into memory. The SystemBC kit, including the C2 panel, server, and malware executables, is sold in underground forums.

References
2025-04-24MandiantMandiant
M-Trends 2025 Report
Akira Black Basta LockBit SystemBC GootLoader LockBit WIREFIRE Akira Black Basta Cobalt Strike LockBit RansomHub SystemBC Pink Sandstorm
2025-01-27The DFIR ReportMittenSec, MyDFIR, r3nzsec
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
GhostSocks LockBit SystemBC
2024-12-04Rapid7Tyler McGraw
Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware
Black Basta Cobalt Strike DarkGate SystemBC Zloader
2024-08-26The DFIR ReportThe DFIR Report
BlackSuit Ransomware
BlackSuit Cobalt Strike SystemBC
2024-08-12Rapid7Tyler McGraw
Ongoing Social Engineering Campaign Refreshes Payloads
Black Basta Cobalt Strike GhostSocks Lumma Stealer SystemBC
2024-07-29MandiantAshley Pearson, Jake Nicastro, Joseph Pisano, Josh Murchie, Joshua Shilko, Raymond Leong
UNC4393 Goes Gently into the SILENTNIGHT
Black Basta QakBot sRDI SystemBC Zloader UNC3973 UNC4393
2024-05-30EuropolEuropol
Largest ever operation against botnets hits dropper malware ecosystem
BumbleBee IcedID SmokeLoader SystemBC TrickBot
2024-05-15MicrosoftMicrosoft Threat Intelligence
Threat actors misusing Quick Assist in social engineering attacks leading to ransomware
Black Basta Cobalt Strike QakBot SystemBC
2024-01-19KrollDavid Truman
Inside the SYSTEMBC Command-and-Control Server
SystemBC
2023-11-12Github (vc0RExor)Aaron Jornet
The Swiss Knife: SystemBC | Coroxy
SystemBC
2023-10-12YouTube (FIRST)Aditya K. Sood
"Compromising the Keys to the Kingdom" - Exfiltrating Data to Own and Operate the Exploited Systems
Loki RAT SystemBC
2023-09-12FIRSTCONAditya K. Sood
Compromising the Keys to the Kingdom: Exfiltrating Data to Own and Operate the Exploited Systems (Slides)
Loki RAT SystemBC
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-08-23LogpointAnish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC
2023-08-10KasperskyKurt Baumgartner
Focus on DroxiDat/SystemBC
SystemBC
2023-06-28vmwareBria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22ReliaquestCaroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC
2023-05-15CrowdStrikeCrowdStrike
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC
2023-04-19SymantecThreat Hunter Team
Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-02-14CybereasonCybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-02-09cyber.wtf blogHendrik Eckardt
Defeating VMProtect’s Latest Tricks
SystemBC
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-16IntrinsecIntrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC
2022-10-28velociraptorMatt Green
Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor
SystemBC
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-21BitSightJoão Batista
SystemBC: The Multipurpose Proxy Bot Still Breathes
SystemBC
2022-09-06CISACISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-08-30CiscoVanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-12AhnLabASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-03-04Medium walmartglobaltechJason Reaves, Joshua Platt
SystemBC, PowerShell version
SystemBC
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-06-07Medium walmartglobaltechJason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-10F-SecureCallum Roxan, Sami Ruohonen
Prelude to Ransomware: SystemBC
SystemBC
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-01Reversing LabsRobert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointDennis Schwarz, Kade Harmon, Kafeine, Proofpoint Threat Insight Team
SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20241030 | Detects win.systembc.)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 53 57 56 8b7d10 }
            // n = 5, score = 1100
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]

        $sequence_1 = { 7507 66837fff00 740d 837d1000 7409 66837aff00 7502 }
            // n = 7, score = 1100
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7409                 | je                  0xb
            //   66837aff00           | cmp                 word ptr [edx - 1], 0
            //   7502                 | jne                 4

        $sequence_2 = { 8b4d0c 837d0c00 750b ff7508 e8???????? }
            // n = 5, score = 1100
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   750b                 | jne                 0xd
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_3 = { 837d0cfe 751c 837d1000 7507 66837fff00 }
            // n = 5, score = 1100
            //   837d0cfe             | cmp                 dword ptr [ebp + 0xc], -2
            //   751c                 | jne                 0x1e
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0

        $sequence_4 = { 50 8b45f8 8b08 50 8b4178 }
            // n = 5, score = 1100
            //   50                   | push                eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   50                   | push                eax
            //   8b4178               | mov                 eax, dword ptr [ecx + 0x78]

        $sequence_5 = { 6a00 8d85fcfbffff 50 8b45f8 8b08 }
            // n = 5, score = 1100
            //   6a00                 | push                0
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   50                   | push                eax
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b08                 | mov                 ecx, dword ptr [eax]

        $sequence_6 = { 740d 837d1000 7409 66837aff00 7502 eb2e }
            // n = 6, score = 1100
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7409                 | je                  0xb
            //   66837aff00           | cmp                 word ptr [edx - 1], 0
            //   7502                 | jne                 4
            //   eb2e                 | jmp                 0x30

        $sequence_7 = { 837d0cfe 751c 837d1000 7507 66837fff00 740d 837d1000 }
            // n = 7, score = 1100
            //   837d0cfe             | cmp                 dword ptr [ebp + 0xc], -2
            //   751c                 | jne                 0x1e
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7507                 | jne                 9
            //   66837fff00           | cmp                 word ptr [edi - 1], 0
            //   740d                 | je                  0xf
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0

        $sequence_8 = { c9 c21400 55 8bec 53 57 56 }
            // n = 7, score = 1100
            //   c9                   | leave               
            //   c21400               | ret                 0x14
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   53                   | push                ebx
            //   57                   | push                edi
            //   56                   | push                esi

        $sequence_9 = { 8b450c ab 8b4514 ab }
            // n = 4, score = 1100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   ab                   | stosd               dword ptr es:[edi], eax
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 75776
}
Download all Yara Rules