systembc | 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

Resubmissions

Analysis

max time kernel
300s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lrthijawd.exe
Size

898KB
MD5

1b1ecd323162c054864b63ada693cd71
SHA1

333a67545a5d1aad4d73a3501f7152b4529b6b3e
SHA256

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
SHA512

f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
SSDEEP

24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.mypat.in
Port:
587
Username:
[email protected]
Password:
42@Andheri

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
caRLoS

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
baby44

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
T1e11nwffii.

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
88AM6GMGe!

Extracted

Credentials

Protocol: smtp
Host:
mx.fkksol.com
Port:
587
Username:
[email protected]
Password:
ebapuxi2020

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Emilee

Extracted

Credentials

Protocol: smtp
Host:
mx.hotil.it
Port:
587
Username:
[email protected]
Password:
030492

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Cheriluva

Extracted

Credentials

Protocol: smtp
Host:
mx.giochi0.it
Port:
587
Username:
[email protected]
Password:
Sbribba!123

Extracted

Credentials

Protocol: smtp
Host:
mx.highheelcl.com
Port:
587
Username:
[email protected]
Password:
19970714

Extracted

Credentials

Protocol: smtp
Host:
mx.fontdrift.com
Port:
587
Username:
[email protected]
Password:
vb123!

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
MY2CaTS

Extracted

Credentials

Protocol: smtp
Host:
smtp.ncn-t.net
Port:
587
Username:
[email protected]
Password:
ssmap0061237718

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
broadzilla

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
frontier1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
wflee

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
parmelee

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.home.ne.jp
Port:
587
Username:
[email protected]
Password:
colosukezaemon

Extracted

Credentials

Protocol: smtp
Host:
smtp.citlink.net
Port:
587
Username:
[email protected]
Password:
Beaner

Extracted

Credentials

Protocol: smtp
Host:
smtp.dad.es
Port:
587
Username:
[email protected]
Password:
RC194421qqqaAqwe123123

Extracted

Credentials

Protocol: smtp
Host:
mail.oct.zaq.ne.jp
Port:
587
Username:
[email protected]
Password:
satomi33

Extracted

Credentials

Protocol: smtp
Host:
mx.blog4us.eu
Port:
587
Username:
[email protected]
Password:
389680198693671a

Extracted

Credentials

Protocol: smtp
Host:
smtp.nice-tv.jp
Port:
587
Username:
[email protected]
Password:
NM@leifar

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
yu0611ki

Extracted

Credentials

Protocol: smtp
Host:
mx.uvvc.info
Port:
587
Username:
[email protected]
Password:
Czbywwmybc

Extracted

Credentials

Protocol: smtp
Host:
mx.nikeshoesoutletforsale.com
Port:
587
Username:
[email protected]
Password:
Feefa1236

Extracted

Credentials

Protocol: smtp
Host:
smtp.elbras.com.br
Port:
587
Username:
[email protected]
Password:
ednolia

Extracted

Credentials

Protocol: smtp
Host:
mx.gfgfgf.org
Port:
587
Username:
[email protected]
Password:
377710118218q!

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Stooges

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
greystone

Extracted

Credentials

Protocol: smtp
Host:
smtp.riotiete.com.br
Port:
587
Username:
[email protected]
Password:
fbobh_j0'm

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
daddy1954

Extracted

Credentials

Protocol: smtp
Host:
smtp.climalab.com.br
Port:
587
Username:
[email protected]
Password:
climalab420#

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
lexiboo0714

Extracted

Credentials

Protocol: smtp
Host:
smtp.oct-net.ne.jp
Port:
587
Username:
[email protected]
Password:
731125

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
keymarie

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
futawakatadahiro

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
8dzogm4c1

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Excellent

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
bURDETTE001

Extracted

Credentials

Protocol: smtp
Host:
mx.fontdrift.com
Port:
587
Username:
[email protected]
Password:
pw

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (555) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lrthijawd.exework.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	lrthijawd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	work.exe

Executes dropped EXE 4 IoCs

Processes:

work.exejergs.exetgvkmo.exetgvkmo.exe

pid process

1720 work.exe
3660 jergs.exe
864 tgvkmo.exe
3512 tgvkmo.exe
Drops file in Windows directory 2 IoCs

Processes:

jergs.exe

description ioc process

File created C:\Windows\Tasks\tgvkmo.job jergs.exe
File opened for modification C:\Windows\Tasks\tgvkmo.job jergs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jergs.exe

pid process

3660 jergs.exe
3660 jergs.exe

pid	process
1720	work.exe
3660	jergs.exe
864	tgvkmo.exe
3512	tgvkmo.exe

description	ioc	process
File created	C:\Windows\Tasks\tgvkmo.job	jergs.exe
File opened for modification	C:\Windows\Tasks\tgvkmo.job	jergs.exe

pid	process
3660	jergs.exe
3660	jergs.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

lrthijawd.execmd.exework.exe

description	pid	process	target process
PID 4924 wrote to memory of 3500	4924	lrthijawd.exe	cmd.exe
PID 4924 wrote to memory of 3500	4924	lrthijawd.exe	cmd.exe
PID 3500 wrote to memory of 1720	3500	cmd.exe	work.exe
PID 3500 wrote to memory of 1720	3500	cmd.exe	work.exe
PID 1720 wrote to memory of 3660	1720	work.exe	jergs.exe
PID 1720 wrote to memory of 3660	1720	work.exe	jergs.exe
PID 1720 wrote to memory of 3660	1720	work.exe	jergs.exe

C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
"C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:3660

C:\ProgramData\kwshl\tgvkmo.exe
C:\ProgramData\kwshl\tgvkmo.exe start2
1⤵
- Executes dropped EXE
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4388

C:\ProgramData\kwshl\tgvkmo.exe
C:\ProgramData\kwshl\tgvkmo.exe start2
1⤵
- Executes dropped EXE
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
453KB

MD5
405b7fbe8c0ed98620064f0cd80f24c4

SHA1
bb9e45038e8a9f7b7cd0db62858ac65c74b74821

SHA256
9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

SHA512
3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit