{
	"id": "14bd5f4c-56d8-4e5f-ab10-9e65d350376b",
	"created_at": "2026-04-06T00:20:55.265941Z",
	"updated_at": "2026-04-10T03:21:50.151509Z",
	"deleted_at": null,
	"sha1_hash": "7caff165df4206eb2914da04ba5dab903a07c44d",
	"title": "SystemBC, PowerShell version",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 931750,
	"plain_text": "SystemBC, PowerShell version\r\nBy Jason Reaves\r\nPublished: 2022-03-04 · Archived: 2026-04-05 19:42:45 UTC\r\nBy: Jason Reaves and Joshua Platt\r\nPress enter or click to view image in full size\r\nSome of the most effective malware leveraged over the past few years against enterprise environments has incorporated\r\nscripting. AV detections for script based malware have historically lagged behind those of binary based detections. The\r\nSystemBC Malware-as-a-Service we previously outlined[1], has been leveraged by prolific crimeware groups involved in\r\nransomware operations against enterprises[1,3,4,5] for a while now. Earlier this year a researcher on twitter[2] found and\r\nuploaded a copy of an open directory containing a SystemBC package containing the elements of a SystemBC package\r\nalong with an interesting powershell file:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 1 of 11\n\nThe uploaded packaged can be found on VirusTotal:\r\nPress enter or click to view image in full size\r\nRef:\r\nhttps://www.virustotal.com/gui/file/c860ccfeb7072133bf8fe0f9aab56c6dcbe10c83a3bda7e98ff6375ad6c1a06c/details\r\nThe PowerShell script ‘socks5.ps1’ has no detections:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 2 of 11\n\nRef:\r\nhttps://www.virustotal.com/gui/file/61f8fc5838fea490230c5929dd7a977ca7dd6c7364aa9815389ec92a69c32e11/details\r\nThe powershell script has a header containing a C2 server and a port number to connect to before then setting up a block\r\nof 50 bytes called ‘xordata’ which will be later passed to the ‘Rc4_crypt’ function\r\n$xordata = New-Object byte[] 50For ($i=0; $i -ne 50; $i++) { $xordata[$i] = $i }\r\nUsing a traffic example from VirusTotal:\r\nDecrypting:\r\n\u003e\u003e\u003e a = '000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303\r\n\u003e\u003e\u003e import binascii\r\n\u003e\u003e\u003e b = binascii.unhexlify(a)\r\n\u003e\u003e\u003e b\r\n'\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\t\\n\\x0b\\x0c\\r\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\\r\n\u003e\u003e\u003e from Crypto.Cipher import ARC4\r\n\u003e\u003e\u003e len(b)\r\n100\r\n\u003e\u003e\u003e b[:50]\r\n'\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\t\\n\\x0b\\x0c\\r\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\\r\n\u003e\u003e\u003e rc4 = ARC4.new(b[:50])\r\n\u003e\u003e\u003e rc4.decrypt(b[50:])\r\n'\\xb1\\x1d\\x00\\x01PS\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\\r\nThe first word is the build number for Windows:\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 3 of 11\n\n$osn = [system.environment]::osversion.version.build\r\n $os0 = $osn -band 0x000000ff\r\n $os1 = [math]::Floor(($osn -band 0x0000ff00) * [math]::Pow(2,-8))\r\n $buffer0[50] = $os0 -as[byte]\r\n $buffer0[51] = $os1 -as[byte]\r\nIn our decrypted example this is ‘7601’, the next word value is bit check:\r\n $int64 = 0\r\n if ([IntPtr]::Size -eq 8) {$int64 = 1}\r\n $buffer0[53] = $int64 -as[byte]\r\nThe PS value is hardcoded:\r\n $buffer0[54] = 0x50 -as[byte]\r\n $buffer0[55] = 0x53 -as[byte]\r\nAfter checking in, the bot receives IPs and port numbers and each one is assigned to their own job in a pool thread which\r\nwill handle proxying traffic.\r\n[void]$ps.AddScript($new_connection)\r\n[void]$ps.AddParameter(\"stream\", $stream)\r\n[void]$ps.AddParameter(\"writer\", $writer)\r\n[void]$ps.AddParameter(\"reader\", $reader)\r\n[void]$ps.AddParameter(\"SocketArray\", $SocketArray)\r\n[void]$ps.AddParameter(\"ebx\", $ebx) [void]$ps.AddParameter(\"domain\", $domain)\r\n $jobs[$i] = [PSCustomObject]@{\r\n PowerShell = $ps\r\n AsyncResult = $ps.BeginInvoke()\r\n }\r\nWith the current method chosen by the developer (to hardcode the key generation), we can assume this version is still in a\r\ndevelopmental stage. This makes network and endpoint detections easier for the time being.\r\nIOCs\r\nPowershell version:\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 4 of 11\n\nc860ccfeb7072133bf8fe0f9aab56c6dcbe10c83a3bda7e98ff6375ad6c1a06c\r\n185.158.155[.]175\r\nSystemBC Full C2 list:\r\n185.61.138.59\r\n172.106.86.12\r\nsweetcloud.link\r\nasdfghjkl.host\r\nbitdesk.online\r\nordercouldhost.com\r\nhcwakententx2.com\r\nproxybro.top\r\n195.123.241.38\r\n92.53.90.70\r\nbmwsocksmozg.top\r\nfmk7kux2dsxowkks.onion\r\nrarlabarchiver.ru\r\nservx278x.xyz\r\ncp.nod32clients.com\r\ndwuhpii.bit\r\n108.61.245.154\r\nmasonksmith.me\r\n193.109.69.17\r\n165.227.204.91\r\n185.222.202.66\r\nmarch-socat01.xyz\r\ntvtmhltd.org\r\n5.132.191.105\r\n185.215.113.78\r\n179.43.178.96\r\nprotoukt.com\r\nsocksbswfjhofnbu.onion\r\nadmex175x.xyz\r\n185.70.184.5\r\n194.5.250.151\r\n91.213.50.135\r\ngeneralnetworking.net\r\n185.215.113.32\r\n5.34.178.172\r\nsoks5.icu\r\n178.20.41.173\r\n94.103.95.115\r\nsadfsdfjj4838377aa.cc\r\namendingnoum.xyz\r\nefydniaemviuxkfo.onion\r\nmydomain47294.xyz\r\n46.166.161.93\r\n45.156.26.59\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 5 of 11\n\npredatorhidden.xyz\r\nusmostik.com\r\n185.125.230.131\r\nkvarttet.com\r\nvpnstart.chickenkiller.com\r\ns2.avluboy.xyz\r\nfahrrados.de\r\nsocks5.in\r\n137.74.151.42\r\nrastreio-correios.com\r\n188.212.22.165\r\narbetfrolli.pw\r\nreserveupdate.com\r\nstatistiktrafiktrubest.net\r\ntbueguicsrwo64i7.onion\r\nwww.bullioncdn.com\r\n176.123.6.150\r\nfarfisada.ga\r\n80.66.88.165\r\n146.70.44.168\r\nproxysteu5m36rdt.onion\r\nsrv1619541516.hosttoname.com\r\ne6rldxwjc4jeb72c.onion\r\ns1.freesocksvpn.xyz\r\n66.42.91.161\r\n217.182.46.152\r\n138.197.141.150\r\nsystemhomeupdate.com\r\ncore-networking.com\r\n74.125.46.143\r\n109.201.140.54\r\nverguliosar.com\r\nxxxxxxtnuhffpbep.onion\r\n185.193.91.234\r\n37.49.229.138\r\nfresher.at\r\n45.86.162.14\r\nmaka.bit\r\n79.141.160.156\r\n188.209.52.188\r\ncashnet-server.com\r\ntik-tak.club\r\njjj.rop.dev\r\nbljxlgj4h4yuxkju.onion\r\n45.141.87.60\r\n63bwf6zdrgsmagpt.onion\r\n92.63.197.143\r\nfragrant.digital\r\ninfodialsxbz.com\r\n78.47.64.46\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 6 of 11\n\n91.212.150.113\r\nartkalyan.shop\r\nyou.bit\r\n95.217.132.79\r\n217.8.117.18\r\n108.62.141.227\r\njmlor.com\r\nupteambuilding.com\r\n140.82.16.134\r\n45.77.65.72\r\ndragonfire.ac.ug\r\nproxybum.xyz\r\n74.125.112.7\r\ncoinupdater.bit\r\nqtrader.club\r\nmaniodaris.com\r\n95.216.118.223\r\ntdsstats.mooo.com\r\n45.134.26.93\r\nh4yk5u554epyhhen.onion\r\nsystem.proredirector.com\r\ns1.freevpnsocks.xyz\r\nscserv2.info\r\nhcwakentent.com\r\n185.209.30.232\r\n172.105.16.113\r\n217.8.117.24\r\n31337.hk\r\ngambinos.space\r\nns2.vic.au.dns.opennic.glue\r\ndata.servicestatus.one\r\ngosigoji.bit\r\nmanillarout.com\r\nmydomain47267.xyz\r\n5.132.191.104\r\n194.61.24.117\r\n185.159.82.73\r\nmaster-socks.cc\r\n139.60.161.58\r\n23hfdne.xyz\r\nbrabulco.ac.ug\r\n80.233.248.109\r\n4renewdmn.biz\r\n5.206.224.199\r\nncordercreatetest.com\r\nsocks5.eu\r\nsdkfjjkfasdjfiu435dzz.cc\r\n74.125.74.6\r\n5.188.60.95\r\ntik-tak-super-puper.xyz\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 7 of 11\n\n135.181.37.144\r\n93.187.129.249\r\n185.197.74.227\r\nlisnm.com\r\nscserv1.info\r\ns.avluboy.xyz\r\n217.8.117.65\r\n149.28.201.253\r\nt6xhk2j3iychxc2n.onion\r\nshellcon.pro\r\ncriminal-records.life\r\n185.191.32.191\r\naitchchewcdn.online\r\n176.111.174.63\r\nns1.vic.au.dns.opennic.glue\r\njoiasbella.com.br\r\n78.141.210.78\r\ndktigsgquxihyrik.onion\r\ncoinsdoctor.bit\r\n3q5d4sgdxdxkkzhl.onion\r\n185.119.57.126\r\n92.163.33.248\r\n23.249.163.103\r\n199.247.25.132\r\nprorequestops.com\r\narbetfroll.pw\r\nr55q2zj8sb89b33k.bit\r\n31337r.hk\r\nwhatimnot.sc.ug\r\n23hfdne.com\r\nstatistiktrafiktrubest.com\r\narhi-lab.com\r\njlayxnzzin5y335h.onion\r\nzghiexdgwfzi44b5.onion\r\n84.38.129.162\r\nmasonksmith.tech\r\n46.166.176.247\r\n37.1.204.96\r\n93.114.128.189\r\nsocks5v7v2snlwr7.onion\r\n206.189.120.27\r\n35.246.186.86\r\n199.19.225.233\r\n149.248.18.56\r\nmarch-socat01.com\r\n45.153.186.243\r\n5.79.124.201\r\nfhaaaggs.ml\r\n176.123.8.226\r\n217.8.117.42\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 8 of 11\n\nadobeupd.host\r\nhuxere.xyz\r\n37.1.220.248\r\ngigabitsolutions.pw\r\njjj2.rop.dev\r\n31.184.218.251\r\nbc.fgget.top\r\n173.255.208.126\r\nannaweber.fun\r\nssl.virtualpoolnet.com\r\n213.159.213.225\r\nhfbplsny55xcsgbn.onion\r\n213.227.155.220\r\n45.138.172.144\r\n91.142.77.52\r\nproxyshmoxy.xyz\r\ngambinos.club\r\n93.187.129.252\r\n45.77.65.71\r\ndfhg72lymw7s3d7b.onion\r\n91.217.137.44\r\nexample.com\r\n109.201.142.17\r\nannaklein.fun\r\n62.210.54.235\r\ncleanerwors.com\r\n65.21.93.53\r\n185.254.121.121\r\nfastconnectionbit.xyz\r\ndealsbestcoupons.com\r\nmicrosoftmirror.ac.ug\r\n185.33.84.190\r\n95.181.152.152\r\n91.218.114.16\r\n212.114.52.149\r\n185.235.244.244\r\ncheakendinner.xyz\r\n45.145.67.170\r\n149.28.145.240\r\n92.53.90.84\r\n185.233.2.50\r\n185.215.113.114\r\nwhatshoetowear.com\r\n80.66.88.139\r\n185.158.155.175\r\n91.212.150.133\r\n185.70.186.170\r\n23.82.141.176\r\n134.195.14.192\r\nbuffalostores.cc\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 9 of 11\n\nmobinetworks.xyz\r\n185.209.30.180\r\n23.106.223.52\r\n195.2.73.44\r\n5.255.97.23\r\n185.70.184.3\r\n185.198.56.2\r\n185.215.113.101\r\n185.70.184.41\r\n91.243.44.5\r\nmainscpnl.xyz\r\nbackpscpnl.xyz\r\n146.70.41.133\r\n185.118.167.155\r\n85.25.207.68\r\nmoscow11.icu\r\n5.39.221.47\r\n162.33.179.20\r\n195.133.40.103\r\n142.132.185.13\r\ncarnessanjuanmedina.com\r\n190.2.145.98\r\n207.32.216.202\r\n5.183.95.197\r\n91.234.254.128\r\n62.113.255.16\r\n89.39.105.111\r\n62.113.255.11\r\n193.29.56.71\r\n185.186.245.37\r\n89.43.107.126\r\n45.56.102.245\r\n23.152.0.38\r\n107.155.124.13\r\n5.101.78.2\r\n146.70.78.22\r\npolidestar.com\r\nmokkotapia.com\r\nctldl.com\r\n194.93.56.214\r\n69.61.107.218\r\n62.113.255.29\r\n146.0.77.21\r\nDetections\r\nEndpoint:\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 10 of 11\n\nRun key:\r\n\"HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" - socks5_powershell\r\nNetwork:\r\nalert tcp $HOME_NET any -\u003e $EXTERNAL_NET any ( msg:\"SystemBC Powershell bot registration\"; dsize:100; conten\r\nReferences\r\n1: https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6\r\n2: https://twitter.com/r3dbU7z\r\n3: https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/\r\n4: https://twitter.com/vk_intel/status/1234891766924484609?lang=en\r\n5: https://blogs.blackberry.com/en/2021/06/threat-thursday-systembc-a-rat-in-the-pipeline\r\nSource: https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nhttps://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c"
	],
	"report_names": [
		"systembc-powershell-version-68c9aad0f85c"
	],
	"threat_actors": [],
	"ts_created_at": 1775434855,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7caff165df4206eb2914da04ba5dab903a07c44d.pdf",
		"text": "https://archive.orkl.eu/7caff165df4206eb2914da04ba5dab903a07c44d.txt",
		"img": "https://archive.orkl.eu/7caff165df4206eb2914da04ba5dab903a07c44d.jpg"
	}
}