Rewterz Threat Alert – SystemBC/BuerLoader Malware Fetches Cobalt Strike Post Infection

Severity

High

Analysis Summary

SystemBC malware is found being distributed via malicious email spam campaigns. Attached in the emails are Excel spreadsheets with a malicious macro, using an updated GlobalSign template. This Excel spreadsheet pushed what appears to be SystemBC RAT malware. Cobalt Strike was also detected as a follow-up activity from this infection.

The malspam delivers excel spreadsheets that require the victim to enable content, as shown below. 

Enabling macros on a vulnerable Windows host caused HTTPS traffic to grab a Windows executable (EXE) file for SystemBC malware. The first post-infection traffic caused by SystemBC was TCP traffic to 109.234.39[.]169 over port 4001. Moreover, Cobalt Strike doesn’t appear unless the infected host is running in an AD environment.

Impact

• Code Execution
• System Compromise
• Unauthorized Access

Indicators of Compromise

Domain Name

• alnujaifi-portal[.]com
• clinica-cristal[.]com
• eyeqoptical[.]ca
• fastonent[.]com
• gbhtrade[.]com[.]br
• newstimeurdu[.]com
• remacon[.]net
• skconstruction[.]info

MD5

• 0c9e9f498c35f2cdc72543f485342951
• 6c0861b1b1834784378cdc5af44bd70d
• d9fd5cc581d92b0ac154e3160ac609aa
• 0c8b813b210468b76a6f674729d44cab
• cf489853a42fb7520f19242a8921775d
• 8863f3a14654f2ae82dc951a2767ae10
• 48415bbcf8fcffd506d09e71af909f78
• 9f5e7b7e401d5f82df434982a6ef593a
• 37a9bfb34c15724ce1a603471c382470
• 965e615c422fe7889b456f163b786de1
• 67376bd98f7f9a87d0d4afedfd2e8937
• c8b5ace77d5ef587aab38631d72f1bcb
• f80ce56069959bc77a65015cc92c534b
• 9de54512cf2bd8c02047e9923fb3b4b7
• 7ad66a2408455c7098ff9d87ed8853db
• 108b92af9d205027b5316e2748a3fc56
• 9d0f44841d49c404013a9731d0d5ab35
• 20a791b8ef5a3b01343dc98e36253eac
• 8e7ee081f8d1fa49f8f91d8f7bd8cbb4
• 0e1a850b56ad3da5358046fdb70d8297
• bd51118c0d50f8dd537b917843c37a1a
• 2ccfd48495e6cd058c5483c928e5e77c
• 32dcc5d18fbbd0dd01b45a26e2c4018c
• 4c218538f2d4790b8fc5ceb98f10fbb4
• 00e2b25df052858740b5b8b6c2217907
• fb5297fd808dbb204a8702e7958fd40f
• e393be86659b8873c0e01ed0c6ad781a
• 398313b6728c1d9b172bcd545e15bd1f
• 3ba6e7055d2aa702c92699209a949715
• f6e06478ce567801ecdd62a2dab93c92
• 7d99d0b98691c8fd32bc86b4adee1469
• 34dcfddf392e49a497c8e3cfb360440b
• 2be675a0e0c6e8490523cdf24fc28fcc
• f79e4f2d702c173aaf881a3d9f01a8d6
• 4506d15d2b790734ca655cfc5b79f778
• df774f853546816bdee1261622fc3d1e
• 45173818539d6f7f4c23b7aecfcd5a68
• 0e97906e7bff9077965f5a22ea3d28e2
• 8f99aa658f7f3e625724ff5067d985b6
• 7b6eb0883b4d494973cc8f58261ce55c
• 18d57e8949027460433be244a99807e0
• 8b0297e2e85894dd640c305f97911bc7
• 7ab6462d7eaa53fc8846c659a50531c2
• 9b66ac04810ed66d409b478262e178b4
• b6292a4b069f51a36c558bf6d667681a
• 551df76ca0a0c9127a513f8d36492c68
• eb74ab5679c3efb2683f8a73c60dcef9
• 1423a0ec3a510699a291f9de95ec1709
• da8cef9e1c9f30f3eb5fc140f0dc5781
• c9a840d8b360010a8812ca17cbe76bd4
• 53a121c64a66da560644745a47593af8
• cbb9239d2cc3f92b9bf13425046bd6fd
• 656e2c80516797060d76ba5288878d93
• 67a3cc5f4ce0f10da0cdf4159ff952fb
• 0159977d4573e31c6b2090449e4f2848
• be7c6ea68f6287df79e931269ecb5129
• 3a9b495ac6f370e8637b6fa248386780
• db3ad7c3b4315b40311d20a2ce87590b
• ea6398e9b8505011947919379daaed8f
• 7e3a7a587dbce08534f63401a680fe1c
• 7d157a031135e725635b21f8a948537a
• eeb2737196ca4b869959b266523fe4f8
• 223da81dbb0a268176f6e360636e61fa
• 3f1e9fc127e9c1436ff1e07fbfafb7f7
• 7a2cd7861bd348d9574e900222efd544
• 0f06c07fb57523c0df4a823f484a8040
• 11306811d547d46a7296ab1089dc8573
• bb453c66ea4e6e022a214642b7e2e2ac
• 8ddcab26c3fe9e1232a7102dade4d69b
• 9d6227398ff6d97ada139c9fb1001ef6
• 449ed530b6eda880c7e5006cf2d178b4
• 3f511b132d6bb49facecc21870b42f1c

SHA-256

• 044494acb6d781e6cc3b9a837b7ebca1e933080fe384a874f5eb9cca1ea76a55
• 056911f208c9b475020627b83c8bf3a0151e30ec7f71113cf75abb950a431efc
• 071809d68b777cae171284c2cc289b455a778b1f054cd0f244cf0fb6053dae2d
• 0cf4fff7f96cf695d3476e7dc66794d067acafbd2980f69526b874fc5b4c08be
• 0e094197fca1947eb189006ddeb7d6ad9e5d1f58229e929bc0359887ed8a667d
• 0fb4d8ac3cdef038bf53c8f4269eef5845704a9e962b7609fd93a9f08cc2fab1
• 134a5bfe06f87ace41e0e2fb6f503dca0d521cb188a0c06c1c4bc734ad01e894
• 13ef189260cd344e61a0ad5907c5e695372b00fe1f5d5b2b3e389ad2b99b85e4
• 17ed4dc4369a90d2e24f1ab0fa1eeb6fca61f77b183499c47e5cfb9ce12130fb
• 17fb4271ab9113a155c091c7d7bd590610da87e986ccf5962aa7fc4b82060574
• 19065d8aa76ba67d100d5cb429a8b147c61060cc49905529d982042a55caceef
• 1b63ff13d507f9d88d03e96c3ef86c7531da58348f336bc00bf2d2a2e378fd90
• 1d8fd79934dc9e71562e50c042f9fa78a93fa2991d98c33e0b6ab20c0b522d5a
• 1e295b33d36dee63930728349be8d4c7b8e5b52f98e6a8d9ca50929c8a3c9fb1
• 2156a9f3d87d3df1cee3f815f609c2a3dc2757717ff60954683c34794e52b104
• 21db2f562b9182a3fcdb0fce8c745b477be02b4a423a627cddf6a1c244b6c415
• 244625f6627cadadb7faf8a6b526e91aee4f5c1cadfa1c0d4fb996f4cc60a5ae
• 2e726c5a27e04633d407e13bd242ae71865eef13ac78bf9068e1200823e5ea81
• 2f66e8d84e87811feaf73e30b08be0ad6381271ddfb5071556bd26cd3db2c3f4
• 31901336fdfae4fdeac46b937a059c618d5ba3e04d06bb8e95108a307e2c6d94
• 31a04fe64502bfe6f73971f9de9736402dd9a21a66d41d3a4ecea5ee18852f1c
• 32452e930a813f41a24dc579a08e8dde1801603797d527ce1385ad414b00e676
• 32a904d301e8a30b7bd70804b905dd7b858b761979f3344bc2ec3bff0cb6d703
• 387bdfedc306e087d8ceceb1f1f8f7a6b3c32110ca3d7273eb01e474349d1974
• 3a181036cdc46e088f1cb98acd06062d32a8a11a8ef65fe7544bb22a2fd5c56e
• 3dcd7897ad927f4b2b860010963e02903bc68a2c0c86abb1a27b8cbaab2fa9b6
• 418460bf69c01e47cbe261d7f7312475cda4305860fbbe3d3e6639b9adb78de5
• 441f076519f0bdc04d110b4fa73dbafa3b667825ceab6d4099e36714bd1d7213
• 49cb79f8547c9c94a7ab6642ba1c40fcd036625f71845f2c6203d76c5f7f46fb
• 4af6e8805273ca9b3dea793bd712ed785ea5c5ed9e387cb8ab5059a4f364a303
• 4dfb0bb69a07f1cd7b46198b5edf8afebd0cdd02f27eb2c687447f692625fb9f
• 584c2aab3fe9e1ec9f9dffecbd32e6af8b6b3fa3141c7ddf845763cbf14a82eb
• 59bbcecd3b1670afc5430e3b31377f24da24f4e755b7c563a842ce4e325aa61a
• 5cecb7e104e73aa9916a7154a3004d1a71c59c8f473d693f3b285b2fd473e454
• 61499704920ee633ffb2baab36eb8eb70d5e0426bca584f9a4a872e4b930c417
• 62f1ef07f7bab2ad9abf7aeb53e3a5632527a1839c3364fbaebadd78d6c18f4e
• 669de92b909247d676daa6bab3b3ae5be4fbec2e77f66915267f032c1d7eb71a
• 6bf9612a2b8288d55b47648f9ad9ee80cca5058ced5fb77254e57f9ff2d701d3
• 6c0ef43c1f8b4425d034a46812903b8a6345ae24e556e61e37c0f14eba8c8d2e
• 6df34ffeffb9cc5def3c424cd8bb0f90ab921be24efd1f8fe52ea6c13e700334
• 795a5d5c57dac1703c6b4bab9507d1c662180716b4afa89c261aa3bb6d164e2f
• 7d1602138a26c0524b32570f3fb292fd5a7efbc5ed53ae260d7b7f3652a78969
• 8072f20dd769519a621255307b03e85dca2fe227f48486b0aacc41903ab3bfdf
• 8eb429c24872a501fafc783e8a0fcc53e0ebb5cc8ec4f2310fc10102b1d23a27
• 8ef917da85afcc5f7bfe9cc2afd29f44a7f0cda5ba0249b50ef448d547007461
• 908cb8f6f39b9c310d8df54bddf667d23b0851bbf90b21ca89ea69d211f2c402
• 9519a0631804d18f95d4c3239df5e5ea56b8e5a890b73c889a58d6469958eb71
• 952ec18a6dc949ebd335f5eabed756d0f562aa3853fe9384dc0eded0de5f843b
• a274a08d84958666b6c94e1a6fc3b676aca387544a4218c8473e1a9a72124532
• a3ce1043a7791b73fe14d7c29377467fd64df3b3b464c48a22a6d3bd2f7786aa
• a54b331832d61ae4e5a2ec32c46830df4aac4b26fe877956d2715bfb46b6cb97
• a7b362864724ccb5cba416ff45b4e137f22f8fed4492b5521e369026107031b2
• ab9b97d0d17b2434d2cfc66106ae07b903271ba603be1314b742338c23cce20c
• b2aa3ee1cc617f90e92664969a0856d98a97c727edd7c81ef83c038a34a432d5
• b4107daacbbfac1b9bc9b3fa4e34a8d87037fa2c958db9d6d7df52380f15a1d1
• c3a38df6f4864d32c10e8ecf063e18cba56c3b1add3404634ea20ea109198620
• c4d745576b47b6dd79a9d92cda7dbe60c2cda7d8960a07e33692e6e71f8e5eb3
• c8fd542a9b500ada7afbff26b6c11dd2ab22aaefd30ef7a999410ee20d2fb043
• cca4a3c8af9b549b445b7e2bcb2d45b95982890b6ed3b62fc882f0478f512b2f
• ce02ed48d9ab12dfe2202c16f1f272f75e5b1c0b64e48e385ca71608cb686fc8
• d0c96aacb07629b9d97641a0022b50827f73d86a34fa4929b126f398cf4cf486
• d3145f4f7b1c62f9a1937aa9e968da8b52ff4fde83c0dba3152567b2b65d809a
• d4e372014a40821f10780fcc12c6b5a1cdf4740738a0769e78f06dd10b6ec53f
• d85eb8e5c39d7681155e39602ce30e0c3793b4513f1038e48334296db945e02d
• dc5a3675455d9486e7aa8aaf2463b69ad03c508375eb99b6fb3039d914677a9f
• dcff925d51e90586eb624f249e56b6abb7026b364fab84dcfcf44025e84ff7d9
• e06ee4e0bbe581edc39aecaab76e3fa12a53cb971ec0c106644703b376f5ed24
• e26ab2d6cff95ba776ec6e7beb8c70f2e4d79467b71153ddb36177cb2b2a1273
• e64d605e857900a07c16e22e288c37355e4ebd6021898268ab5dded5c8c4efca
• f5e2351ff528c574dc23c7ef48ddac42546c86d77c28333b25112a9efbfb9d93
• f682f0756ec96d262ae4c48083d720657685d9b56278bd07b2656f3b33be985e
• ff483bbb98d02d1e071d6f0e8f3a3c1706c246db71221455b29f4e54b0c4ef2f

SHA1

• 726460ba95ae17a95d91e72e1155cd9565d46cc8
• ed1017797d15d60c03945ca9122063795e674172
• 5843f6cdf193b988115eefbfa03d788a8ea34323
• 18115eddf9dc0065f6243c25281350538f167527
• 734e56466b525e822436b61f13a76eda051ea15a
• 4536d2d1c244d799ca81ea02da07ad1e1d711485
• fdcffa80e7440f383fb103702502d715fa27182b
• 809476cb387f07540bff419e57f1ac5f895d23fd
• ee6af505f2e6fd59899a1ab06d16e8688c41ef75
• 08292ae166decf4d42f3a8e2e16ddd75786528e8
• b1b5af8d444dad807b3e942ba82b7f4d4264f5c6
• 0913135ece9d4d431e331a8526cb1aba14f486b0
• 74dda5582b794ae3972cb2e7b5a43e4ecf7d6492
• f5f6fcf2869c9cd120e3ccbb32874351a822c91d
• 215fe6425d07e78729cf6e12adca15ac916ceb9e
• 4fd29f1d94739c3c6f29cf93b25eeee3b788fde2
• 70f5dc2ebee5608f557585b35831aef5044b2d62
• 94d015fc81817c4bc97918b49c11f3af1584c830
• 959fd0d61895ad8b5d548d9cf60a8dce8d352dda
• d298b7ea6a15c1372051baf4471e53726b6f1550
• fc664b21407f159843dbdf6e212f010d97504705
• 8c493d40231965bc377d9ca22abe2732fa25c1f8
• e970dde499a0b36bb7220a931a5641350e10bf98
• a22ba26749bbe367c9061e68c7c3c460c4e97040
• b4b739c681a6320fd86a9de6dbc4d01035770deb
• 333782df24f7f96190f34591fdd7f5fe2306b9fc
• 94f153a904029b00fa6756ebaad79a89db8e0689
• 8b6b9220ba12e2d716408afd4ef405dde5763bec
• bf95b1ccddd475d00809bd4dc22cfdc40adad98f
• d78dcf15fc7161d5ffbb9cb328bb4a25e546f693
• 6f905852c40a5886d23a6fc7ba9367d26975a55a
• 6405af9ce820434cb22ffdca487960472be2cb02
• 8a1a301bca69c79357c6efdad9d109d2cea0c7e5
• 8f99b0086b75d3126c88cd3e28475e3759adcf5a
• 9e2392716e84b90c2c822b8a73b741af6ba02331
• c63f88c60011ade69cace2e30010e49bc96f872b
• 37920271a0b6b2dfc9aceecb69d22b74396808ed
• 9a85e707a959024d48207093305e15bec2e421d7
• 87f93b1de05b9f97b603befbbef2ff88f829d03b
• f0c78ce6c751574ca8421c31c16f563c6e03275d
• e10e18a7a3f4cb51a852aa38698cd17da547d8e6
• 5eb437ee95b407b9eb19034798d175e05536a24a
• 3608902b2e8280ab3e888414dc8beb80aa10a62c
• 6feb2b38f863835f69dea0179225697e109ef8c5
• 7de8be1b378ce6ad32e20ea6d8bf554df17673ca
• 2cd8fdacb16ea7e0daf5bb3cdb10a35fd9902a6e
• fe56982045c2b08447ea68bc34ac025133bc7b79
• 52effa2a02b558986a661749e8fa777b584a5d5b
• 2ab00715ff44ceefc1ea38b140f72d3c9b709bbc
• 738c7f0e5111ca7922cd5f27cb8da43e91846fa4
• f72e371639a01928882fecdcc0bda83424a6ec5d
• d0a424e5180ffb4e7b769c73dc1f64b95cab73e4
• 00fee3dbdee320c85b800b8a5160adffaea0ae7d
• 90a8c09230727175489b83d00e1f814be14d2841
• d9417f0a06ded10fab0c3b83f8c6890d089f50ac
• 9b93c3239f57ca9fbd459746d815f2477a6b75f2
• 325b4d29d8da1ce9eb383cff97ed23b1a59ae016
• 74405c90d92da970fbe7102388cb53f7767491f0
• bf508cf8b932aa343bbf91b20dfc4ea2a35cfceb
• a12e7ba6bfc7a1e5cd250c677777d91317281ae7
• d0359707c12ab43415a1103d7b1fdb28c7a011d7
• a737a9e1da0a03bb0a6f34162f785e516e20d8fd
• 73b1a17ccc0009066a2bc59faabb56e213128082
• 95d2581898f8eb5ea4acc47645097427b4a9a2d8
• 71e56592319df1c1472f8a1f7bf9210ef7f1a628
• e3352465eceafa08399781f4b65f7e2eac8a28b7
• 3e63a06c63576495527626ea280b2d4c624aac9b
• fb0305cf90b97136645110fb343df677ddf90769
• f6eb05a6920238c885c4177c19e0750f4285e035
• 09d276dcff1d2d5d3a4c14c0e818df85044e2bd5
• 78ee1b12bec9626e7011e4b83fd1a5029ea01b0a
• b7b4774b005d5e00de89dff461d0ab3e64fafa7d

Source IP

• 109[.]234[.]39[.]159
• 109[.]234[.]39[.]169
• 192[.]169[.]6[.]8

URL

• https[:]//alnujaifi-portal[.]com/ds/3101[.]gif
• https[:]//clinica-cristal[.]com/ds/3101[.]gif
• https[:]//eyeqoptical[.]ca/ds/3101[.]gif
• https[:]//gbhtrade[.]com[.]br/ds/3101[.]gif
• https[:]//newstimeurdu[.]com/ds/3101[.]gif
• https[:]//remacon[.]net/ds/3101[.]gif
• https[:]//skconstruction[.]info/ds/3101[.]gif

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.
• Do not download files from untrusted sources on the internet.
• Do not enable macros for untrusted files, even if they do not look suspicious.