systembc | 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

Analysis

max time kernel
300s
max time network
301s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
Size

898KB
MD5

1b1ecd323162c054864b63ada693cd71
SHA1

333a67545a5d1aad4d73a3501f7152b4529b6b3e
SHA256

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
SHA512

f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
SSDEEP

24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
ourplaygame.com
Port:
587
Username:
[email protected]
Password:
www123

Extracted

Credentials

Protocol: smtp
Host:
mx.freeemailservice.info
Port:
587
Username:
[email protected]
Password:
NNy4AYT788!

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
methos

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
hvpk3fs75n

Extracted

Credentials

Protocol: smtp
Host:
mail.jlchacha.com
Port:
587
Username:
[email protected]
Password:
Skate10thomas

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
EzekiaL14.

Extracted

Credentials

Protocol: smtp
Host:
mail.kozlowski.org
Port:
587
Username:
[email protected]
Password:
101QW29

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Fiestee

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
egw1298

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
dONYA5280

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
28wmbh

Extracted

Credentials

Protocol: smtp
Host:
smtp.eyelink.jp
Port:
587
Username:
[email protected]
Password:
80943193

Extracted

Credentials

Protocol: smtp
Host:
hi.enjoy.ne.jp
Port:
587
Username:
[email protected]
Password:
737356675

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
9RaC8LF445

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
P60nc3kl

Extracted

Credentials

Protocol: smtp
Host:
smtp.halitoktayerat.com
Port:
587
Username:
[email protected]
Password:
759324

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
eiojit2

Extracted

Credentials

Protocol: smtp
Host:
mail.choshinet.or.jp
Port:
587
Username:
[email protected]
Password:
E3I4Lhso

Extracted

Credentials

Protocol: smtp
Host:
smtp.dad.es
Port:
587
Username:
[email protected]
Password:
RC194421qq9

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
lg7atd11br

Extracted

Credentials

Protocol: smtp
Host:
ourplaygame.com
Port:
587
Username:
[email protected]
Password:
www123

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
QlALBFS282

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
engage

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
wkPUwAZ123

Extracted

Credentials

Protocol: smtp
Host:
parkland.co.id
Port:
587
Username:
[email protected]
Password:
parkland

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Kylie7hys123

Extracted

Credentials

Protocol: smtp
Host:
mx.nikeshoesoutletforsale.com
Port:
587
Username:
[email protected]
Password:
8s2il6ocbw

Extracted

Credentials

Protocol: smtp
Host:
bham.ac.uk
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
sNiCKeRS

Extracted

Credentials

Protocol: smtp
Host:
mx1.hc3464-92.iphmx.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
22103634

Extracted

Credentials

Protocol: smtp
Host:
mx.mannbdinfo.org
Port:
587
Username:
[email protected]
Password:
is1jZ8R1

Extracted

Credentials

Protocol: smtp
Host:
smtp.fsinet.or.jp
Port:
587
Username:
[email protected]
Password:
544334

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
bigblue

Extracted

Credentials

Protocol: smtp
Host:
mx.ertemaik.com
Port:
587
Username:
[email protected]
Password:
O1zOtQPN

Extracted

Credentials

Protocol: smtp
Host:
smtp-box-01.iol.pt
Port:
587
Username:
[email protected]
Password:
carolina65

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
drdragon

Extracted

Credentials

Protocol: smtp
Host:
m4.cty-net.ne.jp
Port:
587
Username:
[email protected]
Password:
08040121

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
jimmy1234

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.home.ne.jp
Port:
587
Username:
[email protected]
Password:
ido3nWXM

Extracted

Credentials

Protocol: smtp
Host:
smtp.mybluelight.com
Port:
587
Username:
[email protected]
Password:
YoclifF

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
!!uwBz9BhtP8FdZ

Extracted

Credentials

Protocol: smtp
Host:
smtp.hotamil.com
Port:
587
Username:
[email protected]
Password:
Jladjcc1!

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
nysp2482

Extracted

Credentials

Protocol: smtp
Host:
mx.nikeshoesoutletforsale.com
Port:
587
Username:
[email protected]
Password:
Aagay917yx

Extracted

Credentials

Protocol: smtp
Host:
mx.weboz.pl
Port:
587
Username:
[email protected]
Password:
fPaQmWlDcRp

Extracted

Credentials

Protocol: smtp
Host:
mx.ybb.ne
Port:
587
Username:
[email protected]
Password:
samogon

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
morgan11

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
REDMAN123

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
110110jp

Extracted

Credentials

Protocol: smtp
Host:
mx.cwctv.net
Port:
587
Username:
[email protected]
Password:
joke

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.ne.jp
Port:
587
Username:
[email protected]
Password:
Y4Q7usbD

Extracted

Credentials

Protocol: smtp
Host:
mx.cwctv.net
Port:
587
Username:
[email protected]
Password:
vtl1jko!

Extracted

Family

systembc

clwtumberaero.cyou:4001

185.43.220.45:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (910) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 4 IoCs

Processes:

work.exejergs.exeexicsmg.exeexicsmg.exe

pid process

2636 work.exe
2576 jergs.exe
2624 exicsmg.exe
2232 exicsmg.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2388 cmd.exe
Drops file in Windows directory 2 IoCs

Processes:

jergs.exe

description ioc process

File created C:\Windows\Tasks\exicsmg.job jergs.exe
File opened for modification C:\Windows\Tasks\exicsmg.job jergs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

jergs.exe

pid process

2576 jergs.exe

pid	process
2636	work.exe
2576	jergs.exe
2624	exicsmg.exe
2232	exicsmg.exe

pid	process
2388	cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\exicsmg.job	jergs.exe
File opened for modification	C:\Windows\Tasks\exicsmg.job	jergs.exe

pid	process
2576	jergs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.execmd.exework.exetaskeng.exe

description	pid	process	target process
PID 1228 wrote to memory of 2388	1228	902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe	cmd.exe
PID 1228 wrote to memory of 2388	1228	902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe	cmd.exe
PID 1228 wrote to memory of 2388	1228	902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe	cmd.exe
PID 2388 wrote to memory of 2636	2388	cmd.exe	work.exe
PID 2388 wrote to memory of 2636	2388	cmd.exe	work.exe
PID 2388 wrote to memory of 2636	2388	cmd.exe	work.exe
PID 2636 wrote to memory of 2576	2636	work.exe	jergs.exe
PID 2636 wrote to memory of 2576	2636	work.exe	jergs.exe
PID 2636 wrote to memory of 2576	2636	work.exe	jergs.exe
PID 2636 wrote to memory of 2576	2636	work.exe	jergs.exe
PID 2672 wrote to memory of 2624	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2624	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2624	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2624	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2232	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2232	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2232	2672	taskeng.exe	exicsmg.exe
PID 2672 wrote to memory of 2232	2672	taskeng.exe	exicsmg.exe

C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
"C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2576

C:\Windows\system32\taskeng.exe
taskeng.exe {89F3E185-B376-48BC-A89E-4316874BB0BC} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2672
- C:\ProgramData\fijl\exicsmg.exe
  C:\ProgramData\fijl\exicsmg.exe start2
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\ProgramData\fijl\exicsmg.exe
  C:\ProgramData\fijl\exicsmg.exe start2
  2⤵
  - Executes dropped EXE
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
453KB

MD5
405b7fbe8c0ed98620064f0cd80f24c4

SHA1
bb9e45038e8a9f7b7cd0db62858ac65c74b74821

SHA256
9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

SHA512
3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

Download Submit