SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)

SystemBC is a malware family offered as a malware-as-a-service (MaaS) that is used to establish command and control and facilitate follow-on activity, including ransomware deployment.SystemBC executes a variety of tasks including setting up SOCKS5 proxies, maintaining persistence, ingesting malicious files, and handing C2 communication. SystemBC was first detected in 2018, and has been used by Wizard Spider since at least 2020, and by FIN7 since at least 2022.(Citation: TrumanKroll_SYSTEMBCServer_Jan2024)(Citation: SophosGnGal_SystemBC_Dec2020)(Citation: BlackBasta)(Citation: AhnLab_SystemBC_Apr2022)(Citation: Lumen_SystemBC_Sept2025)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	1
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	SystemBC - S9001 (39643fb9-00c1-4a45-85e5-801a3f2665d1)	Malware	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2