systembc | 75cd90a2f1d3620498799556ea9b9217aa5048c27db0a31f6f365cf01d713bd0 | Triage

Sharing

General

Target

RePack_Installer.exe
Size

33.7MB
Sample

230717-tht47sea2y
MD5

391148ba6a49c21f1561f0b358c4adc5
SHA1

9eaf6f202172a3bdaa5ef751b9e3ed359eb4557a
SHA256

75cd90a2f1d3620498799556ea9b9217aa5048c27db0a31f6f365cf01d713bd0
SHA512

628b51c10748c0635ff3409e14546257ebee44fc45cfc48f1cb51e73d99fa8bbe7cc9e4250a5cecf6059bfbf859aacdbe12670e83103042a6eb346e21f4c4423
SSDEEP

393216:k5zFjww2tS26qtUkzgwhTlGQx2YR+1WPe6vcYEa75Y7sizuQUZ8q5q5XiMusXNRp:krOiY9TlJckPeK3P7+vDqY9VJnp

Score

10^/10

systembc vidar https://t.me/hwbhjegyuvbgyugge spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

4.7

Botnet

https://t.me/hwbhjegyuvbgyugge

C2

https://t.me/hwbhjegyuvbgyugge

https://t.me/jhfvykuwgfwekuifwbe

https://t.me/eagl3z

https://steamcommunity.com/profiles/76561199159550234

Attributes

profile_id_v2
https://t.me/hwbhjegyuvbgyugge
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1788.0 uacq

Extracted

Family

systembc

C2

91.103.252.89:4317

91.103.252.57:4317

Targets

- Target
  
  RePack_Installer.exe
- Size
  
  33.7MB
- MD5
  
  391148ba6a49c21f1561f0b358c4adc5
- SHA1
  
  9eaf6f202172a3bdaa5ef751b9e3ed359eb4557a
- SHA256
  
  75cd90a2f1d3620498799556ea9b9217aa5048c27db0a31f6f365cf01d713bd0
- SHA512
  
  628b51c10748c0635ff3409e14546257ebee44fc45cfc48f1cb51e73d99fa8bbe7cc9e4250a5cecf6059bfbf859aacdbe12670e83103042a6eb346e21f4c4423
- SSDEEP
  
  393216:k5zFjww2tS26qtUkzgwhTlGQx2YR+1WPe6vcYEa75Y7sizuQUZ8q5q5XiMusXNRp:krOiY9TlJckPeK3P7+vDqY9VJnp
Score

10^/10

systembc vidar https://t.me/hwbhjegyuvbgyugge spyware stealer trojan
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

systembcvidarhttps://t.me/hwbhjegyuvbgyuggespywarestealertrojan