systembc | 6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a

General

Target

6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe
Size

613KB
MD5

a1ad149a4d2a04338fd9a0d902410daf
SHA1

d43db08458ea4a81cd32926a402d8a5d12728a2f
SHA256

6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a
SHA512

cef534d0233f47048d6b80c49c4b44570fc436b90904ea84f03c24106ecb785802c424e1241ebd70b9a85f09b77f7c0322927c57a9d65959da4a425149e04128
SSDEEP

12288:mhqxSLo5C1Ps4Xh/P58lhqxSLo5C1Ps4XhAjN81Ve:mHLmCiIhXyHLmCiIhocVe

Score

10^/10

systembc trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
s5zb42ve

Extracted

Credentials

Protocol: smtp
Host:
smtp.mydurango.net
Port:
587
Username:
[email protected]
Password:
jaybird

Extracted

Credentials

Protocol: smtp
Host:
mx.tamercekici.info
Port:
587
Username:
[email protected]
Password:
Emftjfj

Extracted

Credentials

Protocol: smtp
Host:
mail.amigo2.ne.jp
Port:
587
Username:
[email protected]
Password:
k49n8ofs

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Harkins1153!

Extracted

Credentials

Protocol: smtp
Host:
mbn.nifty.com
Port:
587
Username:
[email protected]
Password:
MARUHI28

Extracted

Credentials

Protocol: smtp
Host:
smtp.tg.commufa.jp
Port:
587
Username:
[email protected]
Password:
19670417

Extracted

Credentials

Protocol: smtp
Host:
mx.rizet.in
Port:
587
Username:
[email protected]
Password:
267914Da0d783060091eedce48339

Extracted

Credentials

Protocol: smtp
Host:
mx.abcnetworkingu.pl
Port:
587
Username:
[email protected]

Extracted

Family

systembc

C2

cobusabobus.cam:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 4 IoCs

pid	Process
1260	work.exe
2732	lgors.exe
2552	oljhfd.exe
820	oljhfd.exe

Loads dropped DLL 5 IoCs

pid	Process
2408	cmd.exe
1260	work.exe
1260	work.exe
1260	work.exe
1260	work.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\oljhfd.job	lgors.exe
File opened for modification	C:\Windows\Tasks\oljhfd.job	lgors.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2732	lgors.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2408	2436	6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe	28
PID 2436 wrote to memory of 2408	2436	6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe	28
PID 2436 wrote to memory of 2408	2436	6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe	28
PID 2436 wrote to memory of 2408	2436	6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe	28
PID 2408 wrote to memory of 1260	2408	cmd.exe	30
PID 2408 wrote to memory of 1260	2408	cmd.exe	30
PID 2408 wrote to memory of 1260	2408	cmd.exe	30
PID 2408 wrote to memory of 1260	2408	cmd.exe	30
PID 1260 wrote to memory of 2732	1260	work.exe	31
PID 1260 wrote to memory of 2732	1260	work.exe	31
PID 1260 wrote to memory of 2732	1260	work.exe	31
PID 1260 wrote to memory of 2732	1260	work.exe	31
PID 2828 wrote to memory of 2552	2828	taskeng.exe	33
PID 2828 wrote to memory of 2552	2828	taskeng.exe	33
PID 2828 wrote to memory of 2552	2828	taskeng.exe	33
PID 2828 wrote to memory of 2552	2828	taskeng.exe	33
PID 2828 wrote to memory of 820	2828	taskeng.exe	36
PID 2828 wrote to memory of 820	2828	taskeng.exe	36
PID 2828 wrote to memory of 820	2828	taskeng.exe	36
PID 2828 wrote to memory of 820	2828	taskeng.exe	36

C:\Users\Admin\AppData\Local\Temp\6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe
"C:\Users\Admin\AppData\Local\Temp\6e9f1c1298419230dbc24cfe76a8d64c8094e9d1335a0cef567042b3250e565a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2732

C:\Windows\system32\taskeng.exe
taskeng.exe {6A70E469-F5DA-4956-B46C-1C8DC1392650} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2828
- C:\ProgramData\gcvrn\oljhfd.exe
  C:\ProgramData\gcvrn\oljhfd.exe start2
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\ProgramData\gcvrn\oljhfd.exe
  C:\ProgramData\gcvrn\oljhfd.exe start2
  2⤵
  - Executes dropped EXE
  PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
294KB

MD5
372b142bdf88cc3175d31b48a650955d

SHA1
515f9a1e5c954cd849bacd19291534c50201ac49

SHA256
e3873f55cd848b37d6897b3851a21aa6c17b3d74d94ea2adcd076cf3eb3f4121

SHA512
cff5c69e361d4975f6b10000d5d53ccd0853503f585842ac3422131cf8313195ab8720b65e291c27fc12875b584129069b8548823774320ded37403cc64d8d11

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\lgors.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads