{
	"id": "98938b9f-e93f-4b8e-aa35-58e2b4239c12",
	"created_at": "2026-04-06T00:15:11.470696Z",
	"updated_at": "2026-04-10T03:21:27.332727Z",
	"deleted_at": null,
	"sha1_hash": "dd56dc3882dbb5b6ff90976eaae4e2e545f51d86",
	"title": "Windows.Carving.SystemBC :: Velociraptor - Digging deeper!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51828,
	"plain_text": "Windows.Carving.SystemBC :: Velociraptor - Digging deeper!\r\nArchived: 2026-04-05 18:45:52 UTC\r\nThis artifact extracts SystemBC RAT configuration from a byte stream, process or file on disk.\r\nThe User can define bytes, file glob, process name or pid regex as a target. The artifact firstly discovers\r\nconfiguration and extracts bytes, before parsing with Velociraptor Binary Parser.\r\nThis content simply carves the configuration and does not unpack files on disk. That means pointing this artifact\r\nas a packed or obfuscated file may not obtain the expected results.\r\nname: Windows.Carving.SystemBC\r\nauthor: Matt Green - @mgreen27\r\ndescription: |\r\n This artifact extracts SystemBC RAT configuration from a byte stream,\r\n process or file on disk.\r\n \r\n The User can define bytes, file glob, process name or pid regex as a target.\r\n The artifact firstly discovers configuration and extracts bytes,\r\n before parsing with Velociraptor Binary Parser.\r\n \r\n This content simply carves the configuration and does not unpack files on\r\n disk. That means pointing this artifact as a packed or obfuscated file may not\r\n obtain the expected results.\r\nreference:\r\n - https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc\r\n \r\nparameters:\r\n - name: TargetBytes\r\n default:\r\n - name: TargetFileGlob\r\n default:\r\n - name: PidRegex\r\n default: .\r\n type: regex\r\n - name: ProcessRegex\r\n default: .\r\n type: regex\r\n - name: FindConfig\r\n type: hidden\r\n description: Final Yara option and the default if no other options provided.\r\nhttps://docs.velociraptor.app/exchange/artifacts/pages/systembc/\r\nPage 1 of 4\n\ndefault: |\r\n rule SystemBC_Config\r\n {\r\n meta:\r\n author = \"Matt Green - @mgreen27\"\r\n description = \"SystemBC configuration\"\r\n \r\n strings:\r\n $BEGINDATA = { 00 42 45 47 49 4e 44 41 54 41 00 } //BEGINDATA\r\n $ = \"HOST1:\" ascii wide fullword\r\n $ = \"HOST2:\" ascii wide fullword\r\n $ = \"PORT1:\" ascii wide fullword\r\n $ = \"TOR:\" ascii wide fullword\r\n $ = \"-WindowStyle Hidden -ep bypass -file\" ascii wide\r\n \r\n condition:\r\n $BEGINDATA and 3 of them\r\n }\r\nsources:\r\n - precondition:\r\n SELECT OS From info() where OS = 'windows'\r\n query: |\r\n -- binary parse profile to extract SystemBC configuration.\r\n LET PROFILE = '''[\r\n [SystemBC, 0, [\r\n [\"__FindHost1\",0, \"String\",{term: \"HOST1:\"}],\r\n [\"HOST1\",\"x=\u003elen(list=x.__FindHost1) + 6\", \"String\",{term_hex: \"0000\"}],\r\n [\"__FindHost2\",0, \"String\",{term: \"HOST2:\"}],\r\n [\"HOST2\",\"x=\u003elen(list=x.__FindHost2) + 6\", \"String\",{term_hex: \"0000\"}],\r\n [\"__FindPort1\",0, \"String\",{term: \"PORT1:\"}],\r\n [\"PORT1\",\"x=\u003elen(list=x.__FindPort1) + 6\", \"String\",{term_hex: \"0000\"}],\r\n [\"__FindTOR\",0, \"String\",{term: \"TOR:\"}],\r\n [\"TOR\",\"x=\u003elen(list=x.__FindTOR) + 4\", \"String\",{term_hex: \"0000\"}],\r\n [\"__FindUserAgent\",0, \"String\",{term: \"\\r\\nUser-Agent: \"}],\r\n [\"User-Agent\",\"x=\u003elen(list=x.__FindUserAgent) + 14\", \"String\",{term: \"\\r\\n\"}],\r\n ]\r\n ]]'''\r\n \r\n \r\n -- Bytes usecase: scan DataBytes for config\r\n LET ByteConfiguration = SELECT\r\n Rule,\r\n len(list=TargetBytes) as Size,\r\n hash(path=TargetBytes,accessor='data') as Hash,\r\n String.Offset as HitOffset,\r\n read_file(accessor=\"data\",filename=TargetBytes, offset=String.Offset, length=1000) as _RawConfig\r\nhttps://docs.velociraptor.app/exchange/artifacts/pages/systembc/\r\nPage 2 of 4\n\nFROM yara(\r\n files=TargetBytes,\r\n accessor='data',\r\n rules=FindConfig,\r\n number=99,\r\n context=1000\r\n )\r\n GROUP BY _RawConfig\r\n \r\n -- Glob usecase: find target files\r\n LET TargetFiles = SELECT OSPath,Size\r\n FROM glob(globs=TargetFileGlob) WHERE NOT IsDir\r\n -- Glob usecase: Extract config from files in scope\r\n LET FileConfiguration = SELECT * FROM foreach(row=TargetFiles,\r\n query={\r\n SELECT\r\n Rule,\r\n OSPath, Size,\r\n hash(path=OSPath) as Hash,\r\n String.Offset as HitOffset,\r\n read_file(filename=OSPath, offset=String.Offset, length=1000) as _RawConfig\r\n FROM yara(\r\n files=OSPath,\r\n rules=FindConfig,\r\n number=99,\r\n context=1000\r\n )\r\n GROUP BY OSPath,_RawConfig\r\n })\r\n \r\n -- find velociraptor process\r\n LET me \u003c= SELECT * FROM if(condition= NOT ( TargetFileGlob OR TargetBytes ),\r\n then = { SELECT Pid FROM pslist(pid=getpid()) })\r\n -- find all processes and add filters\r\n LET processes = SELECT Name as ProcessName, Exe, CommandLine, Pid\r\n FROM pslist()\r\n WHERE\r\n Name =~ ProcessRegex\r\n AND format(format=\"%d\", args=Pid) =~ PidRegex\r\n AND NOT Pid in me.Pid\r\n \r\n -- scan processes in scope with our rule, limit 1 hit and extract context to parse\r\n LET ProcessConfiguration = SELECT * FROM foreach(\r\n row=processes,\r\n query={\r\nhttps://docs.velociraptor.app/exchange/artifacts/pages/systembc/\r\nPage 3 of 4\n\nSELECT\r\n Rule,\r\n Pid, ProcessName, CommandLine,\r\n String.Offset as HitOffset,\r\n read_file(accessor=\"process\", filename=format(format=\"/%d\", args=Pid), offset=String.Offset, len\r\n FROM yara(\r\n files=format(format=\"/%d\", args=Pid),\r\n accessor='process',\r\n rules=FindConfig,\r\n number=99,\r\n context=1000\r\n )\r\n GROUP BY Pid, ProcessName, CommandLine,_RawConfig\r\n })\r\n \r\n -- generate results remove any FPs\r\n SELECT *,\r\n parse_binary(accessor=\"data\", filename=_RawConfig, profile=PROFILE, struct='SystemBC') AS SystemBC,\r\n _RawConfig\r\n FROM if(condition=TargetBytes,\r\n then=ByteConfiguration,\r\n else= if(condition=TargetFileGlob,\r\n then= FileConfiguration,\r\n else= ProcessConfiguration))\r\n WHERE SystemBC.HOST1 OR SystemBC.HOST2 OR SystemBC.TOR\r\nSource: https://docs.velociraptor.app/exchange/artifacts/pages/systembc/\r\nhttps://docs.velociraptor.app/exchange/artifacts/pages/systembc/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://docs.velociraptor.app/exchange/artifacts/pages/systembc/"
	],
	"report_names": [
		"systembc"
	],
	"threat_actors": [],
	"ts_created_at": 1775434511,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd56dc3882dbb5b6ff90976eaae4e2e545f51d86.pdf",
		"text": "https://archive.orkl.eu/dd56dc3882dbb5b6ff90976eaae4e2e545f51d86.txt",
		"img": "https://archive.orkl.eu/dd56dc3882dbb5b6ff90976eaae4e2e545f51d86.jpg"
	}
}