{ "id": "e31c3343-49da-4f42-9362-e3e3a336f108", "created_at": "2026-04-06T00:14:11.833737Z", "updated_at": "2026-04-10T03:21:55.43153Z", "deleted_at": null, "sha1_hash": "63cdf7781764c2e4553a054c1d7a3c8aa621fb2b", "title": "SystemBC Being Used by Various Attackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2466622, "plain_text": "SystemBC Being Used by Various Attackers\r\nBy ATCP\r\nPublished: 2022-04-03 · Archived: 2026-04-05 20:46:29 UTC\r\nSystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently\r\ndistributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks\r\nin the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as\r\na passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. Because it can also act as a\r\ndownloader to install additional malware externally, attackers can also use it to install additional payloads.\r\n1. Previous Distribution Cases\r\nSystemBC’s distribution using RIG exploit kit and Fallout exploit kit was first discovered in 2019. [1] The initial\r\nversion found in 2019 focused mainly on Socks5 Proxy features and had a small size. According to ProofPoint\r\nwhich first discovered SystemBC, the developer of the malware had a history of selling it under the name “socks5\r\nbackconnect system.”\r\nSystemBC discovered in 2020 was used with Ryuk or Egregor in ransomware attacks. It was also the malware\r\nused by the DarkSide ransomware group, which used it to attack Colonial Pipeline, a U.S. pipeline company. [2]\r\nUnlike ransomware distributed through exploit kits, web browsers, or spam emails, attackers using this type of\r\nmalware install ransomware after dominating the company environment system, then demand money. In other\r\nwords, they dominate the internal network using tools such as Cobalt Strike after the initial infiltration and infect\r\nvarious systems within a company by installing ransomware.\r\nThe role of SystemBC in such an attack is not known in detail. Yet as it can act as a proxy and install additional\r\npayloads after downloading them, it might download and execute malicious payloads or be installed in internal\r\nnetworks to perform the role of a proxy. In fact, according to a report made by F-Secure [3] that found an attack\r\nusing SystemBC, the malware was used for downloading and running PsExec and scripts for lateral movement\r\nattacks.\r\n2. Recent Distribution Cases\r\nIn March 2022, it was found that SystemBC was being installed as an additional payload by Emotet. Emotet is a\r\nbanking malware that installs additional modules or malware strains to steal credentials from the infected system.\r\nNormally, the attackers install Cobalt Strike through Emotet to dominate the infected system, but recently,\r\nSystemBC is also being distributed.\r\n– Link : https://twitter.com/Cryptolaemus1/status/1502069552246575105\r\nAccording to AhnLab’s ASD infrastructure, most of the recent cases involving SystemBC have the malware\r\ninstalled by SmokeLoader. SmokeLoader operates by being injected into explorer.exe (Windows Explorer that is\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 1 of 15\n\ncurrently being run) and can install additional modules or malware. The figure below shows the log of the injected\r\nExplorer process installing SystemBC.\r\nFigure 1. SystemBC installed by SmokeLoader\r\nSmokeLoader is recently installed through Muldrop, an NSIS dropper malware distributed through malicious\r\nwebsites disguised as cracks and serial download pages of commercial software. Besides Muldrop, CryptBot and\r\nPseudoManuscrypt are also distributed in such a method.\r\n[ASEC Blog] Changed Form of CryptBot Infostealer Disguised as Software Crack Download\r\n[ASEC Blog] PseudoManuscrypt Being Distributed in the Same Method as Cryptbot\r\n3. Analysis of SystemBC\r\nSystemBC has a number of variants. The exact order is not confirmed, but the variants are categorized based on\r\ntheir additional features. Unlike Type 1 which is an early version and can only update itself, Type 2 can run scripts\r\nsuch as Batch, VBS, and PowerShell after downloading them. It can also download malware in DLL and\r\nShellcode forms to execute them in the memory. In addition, the malware can communicate with the C\u0026C server\r\nthrough the Tor network. [4] Type 3, the second variant, lacks certain features including being able to use the Tor\r\nnetwork and execute DLL and Shellcode after downloading them.\r\nThis post will discuss the analysis of SystemBC type that can currently communicate with the C\u0026C server. To be\r\nmore precise, it is an analysis of Type 2, which has most of the features of Type 1 and Type 3. The malware was\r\nfound to be installed through RedLine, packed with the packer that was used for the type distributed through\r\nSmokeLoader. SystemBC known to be installed through Emotet is Type 3.\r\n3.1. Initial Routine\r\nWhen SystemBC is initially run, it first checks if the argument is “start”. It will not have an argument when it is\r\nexecuted for the first time. In this case, it checks the windows of the currently running processes. If there is a\r\nprocess with “Microsoft” as the window name and “win32app” as the class name, it will send the message\r\n“WM_COPYDATA” and goes dormant for a certain amount of time. Afterward, it deletes the file for the process.\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 2 of 15\n\nFigure 2. Process handling function that has a certain window\r\nSystemBC first registered a window class and created a window. The name of the window and class is\r\n“Microsoft” and “win32app” respectively. As shown in the figure below, the following windows and classes can\r\nbe seen when SystemBC is executed.\r\nFigure 3. Windows and classes of SystemBC being run\r\nThe message handling function registered at this moment deletes and terminates a process registered as “certain\r\nrandom string” when it receives the message “WM_COPYDATA”. In summary, SystemBC checks for the\r\nSystemBC process that has been running when it is executed for the first time. If there is one, it sends a message\r\nto terminate the old SystemBC. The previous SystemBC that received the message deletes the task it is registered\r\nto and terminates itself, and SystemBC that was executed later deletes the binary of the previous one.\r\nIt then scans the process named “a2guard.exe” which is assumed to be a product of Emisoft. If the process is\r\nrunning, it terminates itself and will no longer perform malicious behaviors. Lastly, it copies the binary of the\r\ncurrently running SystemBC as a random name in %ALLUSERSPROFILE% (in the random folder of the\r\nProgramData path) and registers it as a task named “certain random string” again. The process uses COM objects,\r\nTaskScheduler class, and methods of the Task class.\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 3 of 15\n\nFigure 4. Process for registering the task using COM objects\r\nThe task starts 2 minutes after the current time and is run every 2 minutes. The target that is executed is\r\nSystemBC, and designates “start” as an argument. SystemBC can download payloads in exe form from the C\u0026C\r\nserver and run them. If the downloaded executable is SystemBC with the latest version, the process then becomes\r\na binary update for SystemBC.\r\n3.2. C\u0026C Communications\r\nSystemBC executed with the “start” argument attempts to communicate with the C\u0026C server. It has the URL of\r\nthe C\u0026C server in the data section in XOR-encrypted form. The malware decrypts the C\u0026C server address and\r\nport number before communicating with the C\u0026C server. If it cannot access the first URL, it will attempt to\r\ncommunicate with the second one. Since the current analysis target does not have its settings data encrypted, one\r\ncan check it in its plain form. If the “xordata” string exists below the settings data, the XOR encoding will not be\r\nprocessed. The 0x32 byte-sized data that has the string is the value for the RC4 key. If a normal RC4 key value\r\nexists, the XOR encoding will be processed.\r\nFigure 5. Settings data of SystemBC\r\n- C\u0026C Server URL 1 : 31.44.185[.]6:4001\r\n- C\u0026C Server URL 2 : 31.44.185[.]11:4001\r\nAs shown below, SystemBC first collects the basic information of the infected system. When the currently running\r\nSystemBC process is executed as an admin privilege (High Integrity Level or higher), Offset 0x34 among the\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 4 of 15\n\nfollowing items is set as 0x2. If not, it is set as 0.\r\nOffset Size Data\r\n+0x00 0x32 RC4 key\r\n+0x32 0x02 Windows ver.\r\n+0x34 0x01 Admin privilege status (0x02)\r\n+0x35 0x01 WOW64 availability\r\n+0x36 0x2A User name\r\n+0x60 0x04 Volume serial number\r\nTable 1. Data to be sent to C\u0026C server\r\nThe data shown below has a size of 0x64 byte. It first uses the 0x32 byte-sized RC4 key to RC4-encrypt the 0x32\r\nbyte in the back. The C\u0026C server that received the data can decrypt the 0x32 byte-sized information of the\r\ninfected system with the RC4 key of the first 0x32 byte.\r\nFigure 6. RC4 key and information collected from the infected system\r\n- RC4 Key: 78 6F 72 64 61 74 61 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 5 of 15\n\nFigure 7. Communication packet with the C\u0026C server\r\nThe encrypted data is then sent to the C\u0026C server. SystemBC uses the Raw TCP socket to communicate with the\r\nC\u0026C server. When the server receives information from the malware, it uses the same RC4 key to send the\r\nencrypted command data. The following is encrypted data sent from the C\u0026C server.\r\nFigure 8. Data received from the C\u0026C server\r\nSystemBC decrypts the first 4 bytes, which can be considered as a header of the C\u0026C command. The header can\r\nbe divided into 3 main parts: command, secondary command, and data size. The 4 byte that comes after means\r\ntokens, and the rest includes command data.\r\nOffset Size Data\r\n+0x00 0x01 Command\r\n+0x01 0x01 Secondary Command\r\n+0x02 0x02 Data Size\r\n+0x04 0x04 Token\r\n+0x08 Variable Command Data\r\nTable 2. Downloaded packet structure\r\nThe command currently received is 0xFFFF2B00. This means the malware received the data with the size of\r\n0x002B. Decrypting the 0x002B-sized data following behind will reveal the token and URL. Since the command\r\nis 0xFFFF, the malware will run the files after downloading them from the URL.\r\nCommand\r\nSecondary\r\nCommand\r\nSize Feature\r\n0xFF 0xFF Variable Download payload\r\n0xFF 0xFE 0x00 Terminate\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 6 of 15\n\nCommand\r\nSecondary\r\nCommand\r\nSize Feature\r\n0x00 – Variable Create a new Proxy for the target\r\n–\r\nIndex[0x00 –\r\n0xFF]\r\nVariable\r\nSends the data received from the C\u0026C server\r\nto the designated target in Index\r\n–\r\nIndex[0x00 –\r\n0xFF]\r\n0x00 Terminate Proxy with the designated target\r\nTable 3. Types of C\u0026C commands\r\nNote that the exe malware downloaded currently is also SystemBC; this indicates that the command is for\r\nupdating the binary.\r\n- Download URL: hxxp://michaelstefensson[.]com/supd/s.exe\r\nFigure 9. URL for downloading additional payloads\r\nSystemBC uses Raw TCP socket again for HTTP communications. The following is a User-Agent string used for\r\ndownloading binaries from the URL that was sent.\r\nGET %s HTTP/1.0\r\nHost: %s\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0\r\nConnection: close\r\nAfter the download is complete, the malware sends the result encrypted with RC4 to the C\u0026C server. The data\r\nthat will be sent include 0xFF (secondary command used for downloading payloads), 0x04 (data size that will be\r\nsent), and 0x07 (including the token value 0x04 byte that was sent earlier).\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 7 of 15\n\nFigure 10. Sending response to the C\u0026C server\r\nOffset Size Data\r\n+0x00 0x01 Secondary Command\r\n+0x01 0x02 Data Size\r\n+0x03 0x04 Token\r\nTable 4. Structure of the packet sent to the C\u0026C server\r\nThe download URLs that were sent are categorized depending on the file extension and format.\r\nType Extension Format Feature\r\nexe exe – Self-update for SystemBC\r\nVBS script .vbs – Run VBS script\r\nBatch script .bat – Run Batch script\r\nBatch script .cmd – Run Batch script\r\nPowershell\r\nScript\r\n.ps1 – Run Powershell script\r\nDLL – DLL\r\nLoad DLL in the memory\r\nRun the function of DLL if the URL has # at\r\nthe back\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 8 of 15\n\nType Extension Format Feature\r\nShellcode –\r\nEncoded\r\nform\r\nRun Shellcode in the memory\r\nTable 5. Payload that can be downloaded\r\nFigure 11. Categorization based on extensions and formats\r\nThe malware creates normal files in the Temp path and registers the files in the task scheduler to run them. For\r\nPowershell scripts, it additionally uses command lines such as “-WindowStyle Hidden -ep bypass -file”.\r\nIf the downloaded payload is DLL, it assigns memory and loads it to run as a new thread. If the “#” string is\r\nbehind the URL sent from the C\u0026C server, it calls the export function from the downloaded DLL. For Shellcode,\r\nthe malware also runs it as a new thread going through the decoding routine. As a result, DLL and Shellcode are\r\nnot created as files but run in the memory of SystemBC.\r\n3.3. TOR Communications\r\nBecause the current analysis target does not have a Tor URL, the team will discuss a previous case where Tor\r\nnetwork communication was possible. The malware in this case has the C\u0026C server URLs encoded as shown\r\nbelow. If it cannot access both servers, it uses Tor to access another server.\r\n- C\u0026C Server URL 1: admex175x[.]xyz:4044\r\n- C\u0026C Server URL 2: servx278x[.]xyz:4044\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 9 of 15\n\nTo do so, it accesses the following URLs to obtain a public IP address. The address is then encoded with the data\r\nthat will be sent to the C\u0026C server and sent.\r\nhttps://api.ipify.org/\r\nhttps://ip4.seeip.org/\r\nSystemBC is known to utilize the mini-tor[5] library to use the Tor network.[6] It first goes through the reset\r\nprocess to access Tor. By randomly selecting one of the IP addresses of the hard-coded Authoritative Directory\r\nServer, it gets the Consensus data for the Tor network. Then it will start Tor communications based on the settings\r\ndata it received.\r\nFigure 12. Obtaining Tor Consensus data\r\n193.23.244[.]244:80\r\n86.59.21[.]38:80\r\n199.58.81[.]140:80\r\n204.13.164[.]118:80\r\n194.109.206[.]212:80\r\n131.188.40[.]189:80\r\n154.35.175[.]225:80\r\n171.25.193[.]9:443\r\n128.31.0[.]34:9131\r\n128.31.0[.]39:9131\r\nThe malware then obtains the Tor C\u0026C URL. As seen below, Tor C\u0026C URL needs an additional decryption\r\nprocess, unlike normal C\u0026C URLs that can be checked in text after Xor decryption. The part that comes after the\r\n“TOR:” string is the Tor C\u0026C URL that is decrypted for the first time. The actual URL will be revealed through\r\nthe additional decryption process.\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 10 of 15\n\nFigure 13. Xor-encoded settings data\r\nFigure 14. C\u0026C URL that is ultimately decrypted\r\n- C\u0026C URL (Tor): dfhg72lymw7s3d7b[.]onion:4044\r\nAfter normally accessing the Tor network, the malware will send the information of the infected system including\r\nthe public IP address that was mentioned earlier. This method is identical to other methods of using Raw TCP\r\nsocket communications, except that it sends data by using the Tor network. So the malware will send the data\r\nencrypted with RC4 algorithm and receive C\u0026C commands encrypted with the same key as in previous cases. The\r\ncase is also the same for the HTTP communications used for downloading additional payloads.\r\nFigure 15. C\u0026C command received through Tor\r\n- Download URL: http://5.61.33[.]200/henos.exe\r\n3.4. SOCKS5 PROXY\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 11 of 15\n\nBesides downloader, the main features of SystemBC include being able to operate as Proxy Bot. The figure below\r\nshows the commands related to proxies that were mentioned above. Each line creates a socket for the proxy and\r\nprocesses certain proxy packets.\r\nFigure 16. Socks5 proxy routine\r\nIf the attacker wants to use an infected system as Proxy Bot (using SystemBC of the infected system when\r\naccessing a certain address), a command to create proxies will be sent first. SystemBC creates a socket depending\r\non the type when it receives a command to create proxies. The created socket will be managed by index.\r\nAfter the socket is created, the malware will create a new thread and connect to the address it received. The reason\r\nthe attacker initially named the malware BackConnect is because SystemBC first connects to the attacker’s server\r\ninstead of the attacker manually accessing SystemBC to attempt Socks5 proxy connection. Since SystemBC\r\ncannot be accessed externally if it is installed in the system of a private IP band, malware strains with the Proxy\r\nfeature mainly use the Reverse Proxy method.\r\nShould the attacker send requests to a certain address later, they will send the created proxy socket with the\r\nassigned index. SystemBC will then send the data it received to the address. The data received will be sent to the\r\nC\u0026C server through SystemBC. SystemBC thus acts as Proxy Bot, allowing the attacker to hide the IP when\r\nperforming attacks. If the malware operates in the system that can access internal networks, the networks can be\r\naccessed by the external attacker through SystemBC.\r\nComparison with Previous Versions\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 12 of 15\n\nThe post discussed Type 2 which supports most of the features, but each type has minor variations in the features\r\nit supports.\r\n  Type 1 Type 2 Type 3\r\nRecursive\r\nExecution\r\nArgument\r\n“Start2” “start” “start”\r\nScan Emisoft\r\nproduct\r\nO O X\r\nInstallation\r\nPath\r\n%ALLUSERSPROFILE%\\\r\n[Random]\r\n%ALLUSERSPROFILE%\\\r\n[Random]\r\nCurrent Path\r\nDownloader\r\nfeature\r\nX (has only update feature)\r\nBatch, VBS, PowerShell,\r\nDLL, Shellcode, and update\r\nBatch, VBS,\r\nPowerShell,\r\nand update\r\nSupport URL\r\nshortener .bit\r\nO X X\r\nTable 6. Differences in each Type\r\nType 1 supports the URL shortener “.bit”. The following settings data of the malware has the list of DNS servers\r\nbesides C\u0026C URL and port number.\r\nFigure 17. List of DNS servers in settings data\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 13 of 15\n\n- C\u0026C Server URL 1: db1.pushsecs[.]info:40690\r\n- C\u0026C Server URL 2: db2.pushsecs[.]info:40690\r\n- DNS Server URL 1: 5.132.191[.]104\r\n- DNS Server URL 2: ns1.vic.au.dns.opennic[.]glue\r\n- DNS Server URL 3: ns2.vic.au.dns.opennic[.]glue\r\nIf the C\u0026C server URL ends it “.bit”, the malware obtains the IP address of the server by using the DNS servers\r\nlisted above.\r\nFigure 18. DNS query routine for .bit URL\r\nConclusion\r\nEver since SystemBC was distributed through exploit kits in the past, the malware has been installed through\r\nother malware strains from malicious websites disguised as download pages for cracks and serials of commercial\r\nsoftware until recently. While it was used for attacks targeting normal users, it was also employed by attackers in\r\nmultiple ransomware attacks targeting companies to achieve their goals.\r\nAfter it is installed, SystemBC stays in the infected system to download additional payloads. Moreover, it can also\r\nact as Proxy Bot, meaning that the system can become a passageway for other attackers. Users should apply the\r\nlatest patch for OS and programs such as Internet browsers, and update V3 to the latest version to prevent malware\r\ninfection in advance.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\n– Trojan/Win.MalPE.R480644 (2022.03.29.02)\r\n– Trojan/Win.Generic.C5006057 (2022.03.11.03)\r\n– Malware/Win32.RL_Generic.R358611 (2020.12.18.01)\r\n– Trojan/Win32.Agent.C3511593 (2019.10.14.08)\r\nMD5\r\n28c2680f129eac906328f1af39995787\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 14 of 15\n\n8e3a80163ebba090c69ecdeec8860c8b\r\nae3f6af06a02781e995650761b3a82c6\r\nbeb92b763b426ad60e8fdf87ec156d50\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//31[.]44[.]185[.]11[:]4001/\r\nhttp[:]//31[.]44[.]185[.]6[:]4001/\r\nhttp[:]//45[.]32[.]132[.]182[:]4177/\r\nhttp[:]//5[.]61[.]33[.]200/henos[.]exe\r\nhttp[:]//96[.]30[.]196[.]207[:]4177/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/33600/\r\nhttps://asec.ahnlab.com/en/33600/\r\nPage 15 of 15\n\n0xFF Command 0xFF Variable Download payload\n0xFF 0xFE 0x00 Terminate\n Page 6 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/33600/" ], "report_names": [ "33600" ], "threat_actors": [], "ts_created_at": 1775434451, "ts_updated_at": 1775791315, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63cdf7781764c2e4553a054c1d7a3c8aa621fb2b.pdf", "text": "https://archive.orkl.eu/63cdf7781764c2e4553a054c1d7a3c8aa621fb2b.txt", "img": "https://archive.orkl.eu/63cdf7781764c2e4553a054c1d7a3c8aa621fb2b.jpg" } }