SYMBOLCOMMON_NAMEaka. SYNONYMS
win.systembc (Back to overview)

SystemBC

aka: Coroxy, DroxiDat
VTCollection    

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

References
2024-01-19KrollDavid Truman
Inside the SYSTEMBC Command-and-Control Server
SystemBC
2023-11-12Github (vc0RExor)Aaron Jornet
The Swiss Knife: SystemBC | Coroxy
SystemBC
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-08-23LogpointAnish Bogati, Nischal khadgi
Defending Against 8base: Uncovering Their Arsenal and Crafting Responses
8Base Phobos SmokeLoader SystemBC
2023-08-10KasperskyKurt Baumgartner
Focus on DroxiDat/SystemBC
SystemBC
2023-06-28vmwareBria Beathley, Dana Behling, Deborah Snyder, Fae Carlisle
8Base Ransomware: A Heavy Hitting Player
8Base Phobos SmokeLoader SystemBC
2023-06-27SecurityIntelligenceCharlotte Hammond, Ole Villadsen
The Trickbot/Conti Crypters: Where Are They Now?
Black Basta Conti Mount Locker PhotoLoader Royal Ransom SystemBC TrickBot
2023-06-22ReliaquestCaroline Fenstermacher
Goot to Loot - How a Gootloader Infection Led to Credential Access
GootLoader SystemBC
2023-05-15CrowdStrikeCrowdStrike
Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks
BlackCat SystemBC
2023-04-19SymantecThreat Hunter Team
Play Ransomware Group Using New Custom Data-Gathering Tools
PLAY SystemBC
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-03-30eSentireeSentire Threat Response Unit (TRU)
eSentire Threat Intelligence Malware Analysis: BatLoader
BATLOADER Cobalt Strike ISFB SystemBC Vidar
2023-02-14CybereasonCybereason Incident Response (IR) team
GootLoader - SEO Poisoning and Large Payloads Leading to Compromise
GootLoader Cobalt Strike SystemBC
2023-02-09cyber.wtf blogHendrik Eckardt
Defeating VMProtect’s Latest Tricks
SystemBC
2023-01-23KrollElio Biasiotto, Stephen Green
Black Basta – Technical Analysis
Black Basta Cobalt Strike MimiKatz QakBot SystemBC
2023-01-16IntrinsecIntrinsec
ProxyNotShell – OWASSRF – Merry Xchange
Cobalt Strike SystemBC
2022-10-28velociraptorMatt Green
Windows.Carving.SystemBC - SystemBC RAT configuration Purser for Velociraptor
SystemBC
2022-10-10RiskIQMicrosoft Threat Intelligence Center (MSTIC)
DEV-0832 Leverages Commodity Tools in Opportunistic Ransomware Campaigns
BlackCat Mount Locker SystemBC Zeppelin
2022-09-21BitSightJoão Batista
SystemBC: The Multipurpose Proxy Bot Still Breathes
SystemBC
2022-09-06CISACISA, FBI, MS-ISAC, US-CERT
Alert (AA22-249A) #StopRansomware: Vice Society
Cobalt Strike Empire Downloader FiveHands HelloKitty SystemBC Zeppelin
2022-08-30CiscoVanja Svajcer
ModernLoader delivers multiple stealers, cryptominers and RATs
Coinminer DCRat ModernLoader RedLine Stealer SapphireMiner SystemBC
2022-06-01ElasticAndrew Pease, Daniel Stepanic, Derek Ditch, Salim Bitam, Seth Goodwin
CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-24BitSightBitSight, João Batista, Pedro Umbelino
Emotet Botnet Rises Again
Cobalt Strike Emotet QakBot SystemBC
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-12AhnLabASEC Analysis Team
SystemBC Being Used by Various Attackers
Emotet SmokeLoader SystemBC
2022-03-04Medium walmartglobaltechJason Reaves, Joshua Platt
SystemBC, PowerShell version
SystemBC
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-06-07Medium walmartglobaltechJason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-19Intel 471Intel 471
Look how many cybercriminals love Cobalt Strike
BazarBackdoor Cobalt Strike Hancitor QakBot SmokeLoader SystemBC TrickBot
2021-05-10F-SecureCallum Roxan, Sami Ruohonen
Prelude to Ransomware: SystemBC
SystemBC
2021-04-21SophosLabs UncutAnand Aijan, Andrew Brandt, Markel Picado, Michael Wood, Sean Gallagher, Sivagnanam Gn, Suriya Natarajan
Nearly half of malware now use TLS to conceal communications
Agent Tesla Cobalt Strike Dridex SystemBC
2021-04-01Reversing LabsRobert Simmons
Code Reuse Across Packers and DLL Loaders
IcedID SystemBC
2021-02-25FireEyeBrendan McKeague, Bryce Abdo, Van Ta
So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
MOUSEISLAND Cobalt Strike Egregor IcedID Maze SystemBC
2021-02-03InfoSec Handlers Diary BlogBrad Duncan
Excel spreadsheets push SystemBC malware
Cobalt Strike SystemBC
2020-12-16SophosLabs UncutSean Gallagher, Sivagnanam Gn
Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
SystemBC
2020-10-14SophosSean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2019-07-31ProofpointDennis Schwarz, Kade Harmon, Kafeine, Proofpoint Threat Insight Team
SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits
SystemBC
Yara Rules
[TLP:WHITE] win_systembc_auto (20230808 | Detects win.systembc.)
rule win_systembc_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.systembc."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8e88010000 8b968c010000 8bb690010000 8945e4 895df4 }
            // n = 5, score = 800
            //   8b8e88010000         | mov                 ecx, dword ptr [esi + 0x188]
            //   8b968c010000         | mov                 edx, dword ptr [esi + 0x18c]
            //   8bb690010000         | mov                 esi, dword ptr [esi + 0x190]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   895df4               | mov                 dword ptr [ebp - 0xc], ebx

        $sequence_1 = { 52 6a00 6a00 6a00 ffb568f9ffff }
            // n = 5, score = 800
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ffb568f9ffff         | push                dword ptr [ebp - 0x698]

        $sequence_2 = { 668b9554f9ffff 6a00 6a00 6a03 6a00 6a00 }
            // n = 6, score = 800
            //   668b9554f9ffff       | mov                 dx, word ptr [ebp - 0x6ac]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_3 = { 898568f9ffff c7856cf9ffff00040000 8d853cf9ffff 50 6a00 6a00 }
            // n = 6, score = 800
            //   898568f9ffff         | mov                 dword ptr [ebp - 0x698], eax
            //   c7856cf9ffff00040000     | mov    dword ptr [ebp - 0x694], 0x400
            //   8d853cf9ffff         | lea                 eax, [ebp - 0x6c4]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_4 = { 81c200008000 81c200100000 81c200200000 6a00 52 }
            // n = 5, score = 800
            //   81c200008000         | add                 edx, 0x800000
            //   81c200100000         | add                 edx, 0x1000
            //   81c200200000         | add                 edx, 0x2000
            //   6a00                 | push                0
            //   52                   | push                edx

        $sequence_5 = { 8d851cf4ffff 50 6800010000 57 ffb530f4ffff }
            // n = 5, score = 800
            //   8d851cf4ffff         | lea                 eax, [ebp - 0xbe4]
            //   50                   | push                eax
            //   6800010000           | push                0x100
            //   57                   | push                edi
            //   ffb530f4ffff         | push                dword ptr [ebp - 0xbd0]

        $sequence_6 = { 50 e8???????? ffd0 8b85f4feffff }
            // n = 4, score = 800
            //   50                   | push                eax
            //   e8????????           |                     
            //   ffd0                 | call                eax
            //   8b85f4feffff         | mov                 eax, dword ptr [ebp - 0x10c]

        $sequence_7 = { 43 3b5dfc 7296 33c0 5e 5f }
            // n = 6, score = 800
            //   43                   | inc                 ebx
            //   3b5dfc               | cmp                 ebx, dword ptr [ebp - 4]
            //   7296                 | jb                  0xffffff98
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi

        $sequence_8 = { 668b9554f9ffff 6a00 6a00 6a03 6a00 }
            // n = 5, score = 800
            //   668b9554f9ffff       | mov                 dx, word ptr [ebp - 0x6ac]
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a03                 | push                3
            //   6a00                 | push                0

        $sequence_9 = { 57 56 8b7d10 33c0 }
            // n = 4, score = 800
            //   57                   | push                edi
            //   56                   | push                esi
            //   8b7d10               | mov                 edi, dword ptr [ebp + 0x10]
            //   33c0                 | xor                 eax, eax

    condition:
        7 of them and filesize < 57344
}
Download all Yara Rules