SystemBC

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to malwares

AlienVault · Published 20/12/2025 19:38 · Modified 27/05/2026 21:40

Essential information

Confidence: 100/100
Is family: No
Published: 20/12/2025 19:38
Modified: 27/05/2026 21:40
Revoked: No
Author / Source: AlienVault
Related entities: 74 attack patterns (mitre), 2 intrusion sets (apt), 9 sectors, 9 countries, 98 indicators, 7 vulnerabilities (cve), 23 reports

Description

[SystemBC](https://attack.mitre.org/software/S9001) is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.[SystemBC](https://attack.mitre.org/software/S9001) executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. [SystemBC](https://attack.mitre.org/software/S9001) was first detected in 2018, and has been used by [Wizard Spider](https://attack.mitre.org/groups/G0102) since at least 2020, and by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2022.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: BlackBasta)(Citation: AhnLab_SystemBC_Apr2022)(Citation: Lumen_SystemBC_Sept2025)

Marking (TLP)

TLP:CLEAR

External references

SophosGnGal_SystemBC_Dec2020
AlienVault
Microsoft_Coroxy_Oct2020
mitre-attack (S9001)
Broadcom_SystemBCCoroxy_Nov2023
BlackBasta
Lumen_SystemBC_Sept2025
TrumanKroll_SYSTEMBCServer_Jan2024

Related entities

Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.

Attack patterns (MITRE) (74)

T1059 uses

Command and Scripting Interpreter MITRE
T1210 uses

Exploitation of Remote Services MITRE
T1566.002 uses

Spearphishing Link MITRE
T1110 uses

Brute Force MITRE
Taint Shared Content uses

T1080 MITRE
T1136.001 uses

Local Account MITRE
T1003.001 uses

LSASS Memory MITRE
T1219 uses

Remote Access Tools MITRE
T1570 uses

Lateral Tool Transfer MITRE
T1012 uses

Query Registry MITRE
T1003 uses

OS Credential Dumping MITRE
T1106 uses

Native API MITRE

← Previous

Page / 7

1–12 of 74

Qilin uses

Ransomware.Live Confidence 100

Qilin ransomware was first observed in July of 2022. Qilin Ransomware is written in Golang and supports multiple encryption modes; all of which are controlled by the operator.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Sectors (9)

Government targets
Healthcare targets
Non-Governmental Organizations (NGOs) targets
Education targets
Defense targets
Air transport targets
Agriculture and agribusiness targets
Construction targets
Retail targets

Countries (9)

Pakistan targets
Germany targets
Mexico targets
Japan targets
France targets
Colombia targets
Australia targets
Ukraine targets
China targets

Indicators (98)

utility-include-clubs-measurement.trycloudflare.com indicates

stix 100/100

· Valid until 18/05/2027 · Source: AlienVault
55cde638e9bcc335c79c605a564419819abf5d569c128b95b005b2f48ccc43c1 indicates

stix 100/100 Revoked

· Valid until 30/11/2025 · Source: AlienVault
https://leadslaw.com/MSTeamsSetup.exe indicates

stix 100/100

· Valid until 12/07/2026 · Source: AlienVault
604f7aa77a14f07baa21e76b73ceb7970037bfbdcc2040bf2e445702e99587a0 indicates

stix 100/100

· Valid until 09/06/2027 · Source: AlienVault
gentexlog238.xyz indicates

stix 100/100 Revoked

· Valid until 31/12/2024 · Source: AlienVault
first.best-default-server.com indicates

stix 100/100

· Valid until 18/05/2027 · Source: AlienVault
2acaa9856ee58537c06cc2858fd71b860f53219504e6756faa3812019b5df5a6 indicates

stix 100/100

· Valid until 12/08/2026 · Source: AlienVault
orearch.giver-tuyk.org indicates

stix 100/100

· Valid until 18/05/2027 · Source: AlienVault
bitwarden-t.com indicates

stix 100/100 Revoked

· Valid until 09/01/2024 · Source: AlienVault
https://apple-online.shop/MSTeamsSetup.exe indicates

stix 100/100

· Valid until 12/07/2026 · Source: AlienVault
193.149.176.215 indicates

stix 100/100

· Valid until 06/07/2026 · Source: AlienVault
88c8b472108e0d79d16a1634499c1b45048a10a38ee799054414613cc9dccccc indicates

stix 100/100 Revoked

· Valid until 16/09/2025 · Source: AlienVault

← Previous

Page / 9

1–12 of 98

Vulnerabilities (CVE) (7)

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2026-20131 KEV targets

10.0 Critical

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: NETWORK
Complexity: Low
Published: 04/03/2026
Modified: 14/04/2026

CWE-502 Awaiting Analysis

CVE-2024-26169 KEV targets

7.8 High

Microsoft Windows Error Reporting Service contains an improper privilege management vulnerability that allows a local attacker with user permissions to gain SYSTEM …

Attack vector: Local
Published: 13/06/2024
Modified: 21/12/2025

CVE-2024-57727 KEV targets

7.5 High

SimpleHelp remote support software v5.5.7 and before is vulnerable to multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary …

Attack vector: Network
Published: 13/02/2025
Modified: 21/12/2025

Modified

CVE-2023-36036 KEV targets

7.8 High

Microsoft Windows Cloud Files Mini Filter Driver contains a privilege escalation vulnerability that could allow an attacker to gain SYSTEM privileges.

Attack vector: Local
Published: 14/11/2023
Modified: 15/06/2026

CVE-2022-41082 KEV targets

8.0 High

Microsoft Exchange Server contains an unspecified vulnerability that allows for authenticated remote code execution. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41040 …

Attack vector: Adjacent
Published: 30/09/2022
Modified: 20/12/2025

CVE-2020-12812 KEV targets

Fortinet FortiOS SSL VPN contains an improper authentication vulnerability that may allow a user to login successfully without being prompted for the …

Published: 03/11/2021
Modified: 20/12/2025

Reports (23)

Danabot: Analyzing a fallen empire

16 Malwares 1 Observable 1 APT
Shifting the sands of RansomHub's EDRKillShifter

4 Malwares 1 APT
Black Basta and Cactus Ransomware Groups Add BackConnect …

17 MITREs 5 Malwares 1 APT
Cobalt Strike and a Pair of SOCKS Lead …

4 Malwares 21 Observables
Threat Assessment: Distributors of BlackSuit Ransomware

6 Malwares 2 Observables 1 APT
New Ymir ransomware discovered used together with RustyStealer …

9 MITREs 3 Malwares 12 Observables
New Ymir ransomware discovered used together with RustyStealer

9 MITREs 3 Malwares
Black Basta Ransomware: What You Need to Know

6 CVEs 15 MITREs 7 Malwares 82 Observables 1 APT
BlackSuit Ransomware

25 MITREs 6 Malwares 16 Observables
How Managed Detection and Response Pressed Pause on …

6 MITREs 2 Malwares 1 Observable 1 APT
Threat landscape — Belgium

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools

← Previous

Page / 2

13–23 of 23

Contact About Legal notice Privacy policy Terms of use

SystemBC

Essential information

Description

Marking (TLP)

External references

Related entities

Attack patterns (MITRE) (74)

Intrusion sets (APT) (2)

Sectors (9)

Countries (9)

Indicators (98)

Vulnerabilities (CVE) (7)

Reports (23)