systembc | 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07-06-2024 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
Size

898KB
MD5

1b1ecd323162c054864b63ada693cd71
SHA1

333a67545a5d1aad4d73a3501f7152b4529b6b3e
SHA256

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
SHA512

f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
SSDEEP

24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
linx187

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
passw0rd

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
Adf8h4zikg73

Extracted

Credentials

Protocol: smtp
Host:
mx.gcdetectivefree.com
Port:
587
Username:
[email protected]
Password:
Parola!

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Gohinata1316!

Extracted

Credentials

Protocol: smtp
Host:
sysmaxng.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
d3Xe9cxz5Hi

Extracted

Credentials

Protocol: smtp
Host:
mx.websitebod.com
Port:
587
Username:
[email protected]
Password:
A4aw19eWoW123

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
1r5cjSe2hY

Extracted

Credentials

Protocol: smtp
Host:
smtp.segurepi.com.br
Port:
587
Username:
[email protected]
Password:
Segur25042012

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
jimmyjeepcj7

Extracted

Credentials

Protocol: smtp
Host:
smtp.segurepi.com.br
Port:
587
Username:
[email protected]
Password:
uwzfv9

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
eliaiden

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
53e8h5l2a6

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
kulaga

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Randy8w*69

Extracted

Credentials

Protocol: smtp
Host:
mx2.davita.iphmx.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mx.progiftstore.org
Port:
587
Username:
[email protected]
Password:
3ehd1ixi1y

Extracted

Credentials

Protocol: smtp
Host:
mx.abonc.com
Port:
587
Username:
[email protected]
Password:
fK3456abc

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.home.ne.jp
Port:
587
Username:
[email protected]
Password:
shimashima

Extracted

Credentials

Protocol: smtp
Host:
mx2.davita.iphmx.com
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.ifin.it
Port:
587
Username:
[email protected]
Password:
1919!Drummer

Extracted

Credentials

Protocol: smtp
Host:
mx.abonc.com
Port:
587
Username:
[email protected]
Password:
xdSOpOi123!

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
iz66a1v

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
theresa1946

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
n6cU3l7K52

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
bABYBABY1

Extracted

Credentials

Protocol: smtp
Host:
mx.breakthur.com
Port:
587
Username:
[email protected]
Password:
Hgrfqg4577

Extracted

Credentials

Protocol: smtp
Host:
mail.quolia.ne.jp
Port:
587
Username:
[email protected]
Password:
5cBJ3aLL

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
25802580

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
4374713.

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
tkO371

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
435959!!

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
22103634

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Bbhb96!

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
hannah21

Extracted

Credentials

Protocol: smtp
Host:
linkport.kr
Port:
587
Username:
[email protected]
Password:
dkwkck60djr!

Extracted

Credentials

Protocol: smtp
Host:
mail.hyunex.com
Port:
587
Username:
[email protected]
Password:
Aramis36556

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
SPR2031

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
Brett12345123

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
welliwillbedamed

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
Isabella

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]

Extracted

Family

systembc

clwtumberaero.cyou:4001

185.43.220.45:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (913) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 4 IoCs

Processes:

work.exejergs.exekdpqccd.exekdpqccd.exe

pid process

2200 work.exe
196 jergs.exe
3832 kdpqccd.exe
656 kdpqccd.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

jergs.exe

description ioc process

File created C:\Windows\Tasks\kdpqccd.job jergs.exe
File opened for modification C:\Windows\Tasks\kdpqccd.job jergs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jergs.exe

pid process

196 jergs.exe
196 jergs.exe

pid	process
2200	work.exe
196	jergs.exe
3832	kdpqccd.exe
656	kdpqccd.exe

description	ioc	process
File created	C:\Windows\Tasks\kdpqccd.job	jergs.exe
File opened for modification	C:\Windows\Tasks\kdpqccd.job	jergs.exe

pid	process
196	jergs.exe
196	jergs.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.execmd.exework.exe

description	pid	process	target process
PID 4748 wrote to memory of 2772	4748	902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe	cmd.exe
PID 4748 wrote to memory of 2772	4748	902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe	cmd.exe
PID 2772 wrote to memory of 2200	2772	cmd.exe	work.exe
PID 2772 wrote to memory of 2200	2772	cmd.exe	work.exe
PID 2200 wrote to memory of 196	2200	work.exe	jergs.exe
PID 2200 wrote to memory of 196	2200	work.exe	jergs.exe
PID 2200 wrote to memory of 196	2200	work.exe	jergs.exe

C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
"C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:196

C:\ProgramData\ugkorb\kdpqccd.exe
C:\ProgramData\ugkorb\kdpqccd.exe start2
1⤵
- Executes dropped EXE
PID:3832

C:\ProgramData\ugkorb\kdpqccd.exe
C:\ProgramData\ugkorb\kdpqccd.exe start2
1⤵
- Executes dropped EXE
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
453KB

MD5
405b7fbe8c0ed98620064f0cd80f24c4

SHA1
bb9e45038e8a9f7b7cd0db62858ac65c74b74821

SHA256
9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

SHA512
3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit