{
	"id": "8e6e6c5a-ab01-4481-b1b4-15646ce68145",
	"created_at": "2026-04-06T00:17:30.977318Z",
	"updated_at": "2026-04-10T13:11:18.341286Z",
	"deleted_at": null,
	"sha1_hash": "2219dd8d9bfba038503bcbc3b0b45511f8ab4230",
	"title": "Inside the SystemBC Malware-As-A-Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 942296,
	"plain_text": "Inside the SystemBC Malware-As-A-Service\r\nBy Jason Reaves\r\nPublished: 2021-06-07 · Archived: 2026-04-05 22:06:08 UTC\r\n4 min read\r\nJun 7, 2021\r\nBy: Joshua Platt and Jason Reaves\r\nPress enter or click to view image in full size\r\nSystemBC has historically been a proxy bot that has been around for sale since at least April 2019[1].\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 1 of 8\n\nFrom: https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\nSystemBC has also been leveraged by the TrickBot crew, specifically the high profile Ryuk subgroup involved in\r\nextortion and ransomware activities[2,3].\r\n2020-02-25:\r\nRyuk Sample MD5:6a3b792208bd433a2ceff4f8321561a0\r\nCert: [Digital Leadership Solutions Limited]\r\nCrypter as Emotet \u0026 TrickBot w/ Political/CoronaVirus Word Gen Meta 2020-03-03:\r\nMD5: dceece60dcee5fd4d47755d6b3a85a75\r\nPrivate Crypter - TrickBot Group\r\nCert: [Digital Leadership Solutions Limited]\r\nC2: 149.248.34[.]200\r\nThe malware itself is pretty simplistic, although effective, but has mostly evolved into both a backdoor and proxy\r\nbot since it was first released. Customers now access a payment system over TOR(socks5v7v2snlwr7[.]onion)\r\nwhich presents a screen for building builds, the amount of builds you can buy along with the price has changed\r\nover time with the current option of buying involving 10 or 100 rebuilds.\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 2 of 8\n\nAfter selecting which package you want you are given a screen with a timer and a wallet to send the payment to.\r\nPress enter or click to view image in full size\r\nAfter building you get a compressed archive containing your bot, server and PHP component:\r\nName\r\n------------------------\r\ninstall.txt\r\ndll\r\nwww\r\nwww/systembc\r\nwww/systembc/geoip\r\nserver.exe\r\nserver.out\r\nsocks.exe\r\ndll/socks32.dll\r\ndll/socks64.dll\r\nwww/systembc/index.html\r\nwww/systembc/password.php\r\nwww/systembc/geoip/geoip2.phar\r\nwww/systembc/geoip/GeoLite2-City.mmdb\r\n------------------------\r\nThe server that actors buy the package from actually contains the builder and database which is a collective of\r\nbuild IDs associated with each actors purchase and build. The stubs needed for building are also present. This\r\nmethod of building is also commonly used for crypters where you create a stub which is an already compiled\r\nexecutable file designed to have certain pieces of it overwritten by using either tag based identifiers or offsets in\r\nthe binary. In this case it overwrites the needed configuration data in the stub files by finding the ‘BEGIN DATA’\r\nmarker and then packages them all up into a compressed archive for delivery to the buyer.\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 3 of 8\n\nBEGINDATA\r\nHOST1:192.168.1.149\r\nHOST2:192.168.1.149\r\nPORT1:4001\r\nTOR:\r\nThe server just needs which ports to listen on for communicating with the PHP panel as well as with the incoming\r\nbots.\r\nPORT0:4000\r\nPORT1:4001\r\nHiding behind TOR is becoming an increasingly common tactic for CyberCrime actors but it does not make them\r\ninvulnerable to being found, in this case the server after TOR is 107.175.150[.]179. From there we can recover\r\nmost of the information needed for tracking the actor selling the malware and their customers, including the stub\r\nfiles for building:\r\nsocks-null.exe\r\nserver-null.out\r\nAlong with the database of customers and their builds which makes finding the actors and their panels relatively\r\neasy. Using the current pricing structure against the database we can estimate that the actor has made over ~100k\r\nUSD from just selling malware builds via this server with just the current listing in the database. We also\r\ndiscovered that some of the actors clients are high profile criminals in the CyberCrime domain.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nHistorically proxy bots such as SystemBC have not been tracked as closely, as it hasn’t thought to be leveraged in\r\nlarge scale attacks, but we discovered some of the clients panels contained a significant number of bots. Some of\r\nthe groups this actor is selling to include TrickBot, QBot and IcedID.\r\nIn conjunction with the discovery of the large panels we also discovered that some of the panels the bots were\r\nbeing tasked with downloading CobaltStrike, for example one panel was pushing the following tasks:\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 4 of 8\n\nhxxp://172.104.63[.]157/crypt_beacon.exe\r\nhxxp://172.104.63[.]157/crypt_artifact.exe\r\nBeing leveraged by some large CyberCrime groups as more of a backdoor for delivering CobaltStrike makes\r\nSystemBC one more thing to look out for being installed in your environment and potentially left behind even\r\nafter cleaning up the other related infections.\r\nIOCs\r\nbackupboxsite.com\r\ninfodialsxbz.com\r\ndata.servicestatus.one\r\n185.61.138.59\r\ns.avluboy.xyz\r\nfmk7kux2dsxowkks.onion\r\n5.188.60.166\r\nproxyshmoxy.xyz\r\nbrabulco.ac.ug\r\nadobeupd.host\r\npanamontana.bit\r\naitchchewcdn.online\r\nmicrosoftmirror.ac.ug\r\n213.227.155.220\r\n149.28.145.240\r\ncheakendinner.xyz\r\nfastconnectionbit.xyz\r\nzghiexdgwfzi44b5.onion\r\ngigabitsolutions.pw\r\n217.8.117.42\r\nordercouldhost.com\r\nupteambuilding.com\r\n37.49.229.138\r\njjj2.rop.dev\r\nasdasd08.com\r\nncordercreatetest.com\r\nhcwakentent.com\r\nkvarttet.com\r\namendingnoum.xyz\r\nh4yk5u554epyhhen.onion\r\n138.124.187.15\r\nrar-archiver.ru\r\n3q5d4sgdxdxkkzhl.onion\r\ntvtmhltd.org\r\n23.249.163.103\r\nvpnstart.chickenkiller.com\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 5 of 8\n\nhcwakententx2.com\r\n62.77.156.147\r\nhfbplsny55xcsgbn.onion\r\nsweetcloud.link\r\n199.19.225.233\r\nsystem.proredirector.com\r\nscserv1.info\r\nproxybro.top\r\n139.60.161.58\r\ntik-tak.club\r\nbc.fgget.top\r\n185.254.121.121\r\nscserv2.info\r\nfahrrados.de\r\n45.145.65.32\r\nprorequestops.com\r\narbetfroll.pw\r\nasdasd08.xyz\r\nr55q2zj8sb89b33k.bit\r\n37.1.220.248\r\ngosigoji.bit\r\ndealsbestcoupons.com\r\ndfhg72lymw7s3d7b.onion\r\n213.159.213.225\r\nfresher.at\r\ncp.nod32clients.com\r\npredatorhidden.xyz\r\n92.53.90.70\r\ntdsstats.mooo.com\r\n176.123.6.150\r\ns2.avluboy.xyz\r\nwhatimnot.sc.ug\r\ns1.freesocksvpn.xyz\r\nkunkflok4ochg2m5.onion\r\nsoks5.icu\r\ne6rldxwjc4jeb72c.onion\r\ntik-tak-super-puper.xyz\r\nusmostik.com\r\nt6xhk2j3iychxc2n.onion\r\n91.241.19.10\r\n176.123.8.226\r\n45.146.165.247\r\n217.8.117.18\r\nfragrant.digital\r\nmanillarout.com\r\n63bwf6zdrgsmagpt.onion\r\n5.79.124.201\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 6 of 8\n\n138.197.141.150\r\ngeneralnetworking.net\r\ncoinupdater.bit\r\narbetfrolli.pw\r\n35.246.195.35\r\n5.206.224.199\r\narhi-lab.com\r\n185.119.57.126\r\n31.44.184.186\r\nyou.bit\r\nxxxxxxtnuhffpbep.onion\r\n217.8.117.65\r\ncashnet-server.com\r\n4renewdmn.biz\r\n137.74.151.42\r\n35.246.186.86\r\n84.38.129.162\r\nssl.virtualpoolnet.com\r\nwebsitetbox.com\r\nbmwsocksmozg.top\r\n92.63.197.143\r\ncoinsdoctor.bit\r\nsystemhomeupdate.com\r\ndragonfire.ac.ug\r\n185.33.84.190\r\n2y0y.l.time4vps.cloud\r\nsocks5.in\r\n92.53.90.84\r\nsocks5.eu\r\nmasonksmith.me\r\ns1.freevpnsocks.xyz\r\nwww.wappallyzer.com\r\nadvertrex20.xyz\r\ndevstudiakomp.xyz\r\ncleanerwors.com\r\n188.212.22.165\r\n5.188.60.95\r\nmaka.bit\r\n194.61.24.117\r\nshellcon.pro\r\ndwuhpii.bit\r\ndktigsgquxihyrik.onion\r\nbitdesk.online\r\n93.187.129.249\r\nasdfghjkl.host\r\ngentexman37.xyz\r\ntbueguicsrwo64i7.onion\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 7 of 8\n\nproxybum.xyz\r\n217.8.117.24\r\ncore-networking.com\r\njlayxnzzin5y335h.onion\r\n103.124.104.11\r\nqtrader.club\r\n185.125.230.131\r\nprotoukt.com\r\n185.197.74.227\r\nmaster-socks.cc\r\n23hfdne.com\r\namericalatina.club\r\njjj.rop.dev\r\n45.77.65.71\r\n45.77.65.72\r\n149.28.201.253\r\nefydniaemviuxkfo.onion\r\nmasonksmith.tech\r\n194.5.250.151\r\ndevstudiakomp.com\r\n23hfdne.xyz\r\n93.187.129.252\r\nmydomain47267.xyz\r\nmydomain47294.xyz\r\nhuxere.xyz\r\ndl-link.network\r\ndl-link.club\r\n88.198.147.80\r\n78.47.64.46\r\nReferences\r\n1:https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits\r\n2:https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/\r\n3:https://twitter.com/vk_intel/status/1234891766924484609?lang=en\r\nSource: https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nhttps://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6"
	],
	"report_names": [
		"inside-the-systembc-malware-as-a-service-9aa03afd09c6"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2219dd8d9bfba038503bcbc3b0b45511f8ab4230.pdf",
		"text": "https://archive.orkl.eu/2219dd8d9bfba038503bcbc3b0b45511f8ab4230.txt",
		"img": "https://archive.orkl.eu/2219dd8d9bfba038503bcbc3b0b45511f8ab4230.jpg"
	}
}