systembc | cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15

Analysis

max time kernel
300s
max time network
301s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe
Size

662KB
MD5

d031aae0c4b488067297beb2dc26460f
SHA1

7a2fa90c458468651846532d2876eefc7fe15ea2
SHA256

cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15
SHA512

4c7538977edf03602b9b4c29acf4e428850a46cfd9bb448dbc39277d75b4536977baa3c0f370ec2065a837af49d049be14a0fd936b06955dcfb352d6ce3ab3d0
SSDEEP

12288:GubsNSOetfARQAPyGUu7zhubsNSOetfARQAPyGUfT+tkrnC/bv8:GubsnafAPyjSzhubsnafAPyjZrnEL8

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mx.adephia.net
Port:
587
Username:
[email protected]
Password:
Trey004*

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
risky89

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
hikaru1971

Extracted

Credentials

Protocol: smtp
Host:
mx.netcitytw.com
Port:
587
Username:
[email protected]
Password:
ur9A6F1jtqyll

Extracted

Credentials

Protocol: smtp
Host:
mx.convertor-3gp.com
Port:
587
Username:
[email protected]
Password:
klekBvj

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
daisy8239

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
peanut

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
woody1234

Extracted

Credentials

Protocol: smtp
Host:
mx.hotil.it
Port:
587
Username:
[email protected]
Password:
Checco1z

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
Sundeepstedetb1.

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
gofish1

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.home.ne.jp
Port:
587
Username:
[email protected]
Password:
koja10221

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
fumina237

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
tsuka88

Extracted

Credentials

Protocol: smtp
Host:
hcmp.co.kr
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
)anN1916

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
3ehd0

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
loner1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
GoFiSH

Extracted

Credentials

Protocol: smtp
Host:
mx.free-lesbian-pic.in
Port:
587
Username:
[email protected]
Password:
eqbqrc

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Mun7gall85

Extracted

Credentials

Protocol: smtp
Host:
mx.ezweb.ne
Port:
587
Username:
[email protected]
Password:
samjeep123

Extracted

Credentials

Protocol: smtp
Host:
mx.abcnetworkingu.pl
Port:
587
Username:
[email protected]
Password:
Gaspzr

Extracted

Credentials

Protocol: smtp
Host:
mx.ezweb.ne
Port:
587
Username:
[email protected]
Password:
Mohamed

Extracted

Credentials

Protocol: smtp
Host:
void.blackhole.mx
Port:
587
Username:
[email protected]
Password:
stubai

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.ezweb.ne
Port:
587
Username:
[email protected]
Password:
coglione1

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
tits4me

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
I012906

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
SARajevo

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Mamie12

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
9rac8lf445

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
graphite

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
Librolot2!@#?

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
bsbcrs6869

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
mail.mannbdinfo

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
superman1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
589180jc

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
tammi1978

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
80619e9

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
princess1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
TRAN72

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
PLATINUM

Extracted

Credentials

Protocol: smtp
Host:
smtp.btvm.ne.jp
Port:
587
Username:
[email protected]
Password:
1010rou

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
88Hwf!

Extracted

Credentials

Protocol: smtp
Host:
hcmp.co.kr
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
5alt6l22w!2019

Extracted

Credentials

Protocol: smtp
Host:
mx2.davita.iphmx.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
3eHd1ixi1Y

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
Jp1!

Extracted

Credentials

Protocol: smtp
Host:
hcmp.co.kr
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.nikeshoesoutletforsale.com
Port:
587
Username:
[email protected]
Password:
skiBg349gU

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
Amore1Q

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Shopper10

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
631321

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
joshua6

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Bladeblade

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
nkgqyjx5

Extracted

Credentials

Protocol: smtp
Host:
smtp.intermedic.org
Port:
587
Username:
[email protected]
Password:
m6b78e3qc2

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
coleton

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
kana56

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
dumejdaerpfaqqql

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
brooklyn1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.starikmail.in
Port:
587
Username:
[email protected]

Extracted

Family

systembc

cobusabobus.cam:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (782) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 4 IoCs

pid	Process
3060	work.exe
2648	pgdrad.exe
2428	lixtouq.exe
1400	lixtouq.exe

Loads dropped DLL 5 IoCs

pid	Process
1728	cmd.exe
3060	work.exe
3060	work.exe
3060	work.exe
3060	work.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\lixtouq.job	pgdrad.exe
File opened for modification	C:\Windows\Tasks\lixtouq.job	pgdrad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	pgdrad.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1728	2176	cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe	28
PID 2176 wrote to memory of 1728	2176	cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe	28
PID 2176 wrote to memory of 1728	2176	cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe	28
PID 2176 wrote to memory of 1728	2176	cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe	28
PID 1728 wrote to memory of 3060	1728	cmd.exe	30
PID 1728 wrote to memory of 3060	1728	cmd.exe	30
PID 1728 wrote to memory of 3060	1728	cmd.exe	30
PID 1728 wrote to memory of 3060	1728	cmd.exe	30
PID 3060 wrote to memory of 2648	3060	work.exe	31
PID 3060 wrote to memory of 2648	3060	work.exe	31
PID 3060 wrote to memory of 2648	3060	work.exe	31
PID 3060 wrote to memory of 2648	3060	work.exe	31
PID 2676 wrote to memory of 2428	2676	taskeng.exe	33
PID 2676 wrote to memory of 2428	2676	taskeng.exe	33
PID 2676 wrote to memory of 2428	2676	taskeng.exe	33
PID 2676 wrote to memory of 2428	2676	taskeng.exe	33
PID 2676 wrote to memory of 1400	2676	taskeng.exe	36
PID 2676 wrote to memory of 1400	2676	taskeng.exe	36
PID 2676 wrote to memory of 1400	2676	taskeng.exe	36
PID 2676 wrote to memory of 1400	2676	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe
"C:\Users\Admin\AppData\Local\Temp\cf1c390eeb26fbff647586a1a05e4fe11957af00a4098258e841e18a1d421f15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgdrad.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pgdrad.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {FFF03683-1873-416F-8425-0D89BAE8E798} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\ProgramData\bpwesb\lixtouq.exe
  C:\ProgramData\bpwesb\lixtouq.exe start2
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\ProgramData\bpwesb\lixtouq.exe
  C:\ProgramData\bpwesb\lixtouq.exe start2
  2⤵
  - Executes dropped EXE
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
335KB

MD5
2f87330674e2681d5e8dfb1bc792fca7

SHA1
d84b9e206c7c403f13054a2e7f959d184426da72

SHA256
b6fd1fdecdf771cf1bb62bb80fa412bb06602143ac81af349ba3b18a46fd05b9

SHA512
156403f26617380bc0f3a710411d626e14a386922495832d5cb3eeb17fa558da4217bcf5e6a253d6b12ea86bf83648d1a8c7824fcf1e4a6036a6ed21e7f35bf1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\pgdrad.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit