General
-
Target
SecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exe
-
Size
1.7MB
-
Sample
250207-m8zztaylgy
-
MD5
e2df3d65784e6202d297bec31d1dfaa1
-
SHA1
a74be156066f49f56bd5835e35210591b7010634
-
SHA256
c539384c0034cc40b226df8cf1354eb264c0e48e722fdd44205ce6783122dba8
-
SHA512
3e311421b7bd8db2ed11fa3bd6406d96a6506b96c54dcf8ab0ea5b95d208dbb124e3372a7be39e42f25f2c2cf59a35888d489c2a107377b831c470bde8f35dfc
-
SSDEEP
49152:BGZgyO3gUhNuZ+gw5N2W4FCcDK5juYWwb4EOpRpOm:Qw3gCNTph4rwq+
Score
10/10
Malware Config
Extracted
Family
systembc
C2
wodresomdaymomentum.org
Extracted
Credentials
Protocol: smtp- Host:
webmail.rbtworks.co.kr - Port:
587 - Username:
[email protected]
Extracted
Credentials
Protocol: smtp- Host:
mx.hotil.it - Port:
587 - Username:
[email protected] - Password:
020874123!
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
just4me
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Micro564!!
Extracted
Credentials
Protocol: smtp- Host:
smtp.1mais1.com.br - Port:
587 - Username:
[email protected] - Password:
design10
Extracted
Credentials
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Credentials
Protocol: smtp- Host:
mx.verizon.ne - Port:
587 - Username:
[email protected] - Password:
vu97l4
Extracted
Credentials
Protocol: smtp- Host:
mx.mix-good.com - Port:
587 - Username:
[email protected] - Password:
4lo8q5xCcL
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Kodiak1
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
544151
Extracted
Credentials
Protocol: smtp- Host:
smtp.totalise.co.uk - Port:
587 - Username:
[email protected] - Password:
CR1Mson
Extracted
Credentials
Protocol: smtp- Host:
systopic.com - Port:
587 - Username:
[email protected] - Password:
iclabo
Extracted
Credentials
Protocol: smtp- Host:
smtp.epix.net - Port:
587 - Username:
[email protected] - Password:
2e88f22f656a8480@
Extracted
Credentials
Protocol: smtp- Host:
mx.soulfire.pl - Port:
587 - Username:
[email protected] - Password:
I4kps2hb7g
Extracted
Credentials
Protocol: smtp- Host:
mx.free-lesbian-pic.in - Port:
587 - Username:
[email protected] - Password:
xFx10ro
Extracted
Credentials
Protocol: smtp- Host:
mx.breakthur.com - Port:
587 - Username:
[email protected] - Password:
110110jp
Extracted
Credentials
Protocol: smtp- Host:
mx.websitebod.com - Port:
587 - Username:
[email protected] - Password:
tisfiwy!
Extracted
Credentials
Protocol: smtp- Host:
abewa.co.kr - Port:
587 - Username:
[email protected] - Password:
abewa200766
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
qwVLw9noW
Extracted
Credentials
Protocol: smtp- Host:
po1.oninet.ne.jp - Port:
587 - Username:
[email protected] - Password:
748596
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
fighting0
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
swlee67
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
clifford
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Prince111
Extracted
Credentials
Protocol: smtp- Host:
mbox.kyoto-inet.or.jp - Port:
587 - Username:
[email protected] - Password:
grGIJLN6
Extracted
Credentials
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Bunny123
Extracted
Credentials
Protocol: smtp- Host:
portalnet.com.br - Port:
587 - Username:
[email protected] - Password:
jardel
Extracted
Credentials
Protocol: smtp- Host:
smtp.tg.commufa.jp - Port:
587 - Username:
[email protected] - Password:
dokinchan
Extracted
Credentials
Protocol: smtp- Host:
mx.rizet.in - Port:
587 - Username:
[email protected] - Password:
BenOwV341
Extracted
Credentials
Protocol: smtp- Host:
mx.mannbdinfo.org - Port:
587 - Username:
[email protected] - Password:
A5GG1N3c
Extracted
Credentials
Protocol: smtp- Host:
decadegroup.ca - Port:
587 - Username:
[email protected] - Password:
selling1
Extracted
Credentials
Protocol: smtp- Host:
msgsafe.io - Port:
587 - Username:
[email protected]
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
2015graywolf1
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Nimrod69!
Extracted
Credentials
Protocol: smtp- Host:
eposta.ttrbilisim.com - Port:
587 - Username:
[email protected] - Password:
hkulcak
Extracted
Credentials
Protocol: smtp- Host:
autismplus.com.au - Port:
587 - Username:
[email protected]
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
April0405
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
omtg6Zst2oLunrQ
Extracted
Credentials
Protocol: smtp- Host:
mx.mannbdinfo.org - Port:
587 - Username:
[email protected] - Password:
O2xPxWpY1123!
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
ninjazx14
Extracted
Credentials
Protocol: smtp- Host:
mx.kkredyt.pl - Port:
587 - Username:
[email protected] - Password:
Pdcltie
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Yj5j5rw4*
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
artie911
Extracted
Credentials
Protocol: smtp- Host:
mail.arex.jp - Port:
587 - Username:
[email protected] - Password:
4d0200
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Calamity
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Buster2007
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
izaya123
Extracted
Credentials
Protocol: smtp- Host:
smtp.nifty.com - Port:
587 - Username:
[email protected] - Password:
misato1222
Extracted
Credentials
Protocol: smtp- Host:
smtp.epix.net - Port:
587 - Username:
[email protected] - Password:
Madisongb4
Extracted
Credentials
Protocol: smtp- Host:
mail.amigo2.ne.jp - Port:
587 - Username:
[email protected] - Password:
kajikaji
Extracted
Credentials
Protocol: smtp- Host:
smtp.ic24.net - Port:
587 - Username:
[email protected] - Password:
kieran12345
Extracted
Credentials
Protocol: smtp- Host:
smtp.jcom.home.ne.jp - Port:
587 - Username:
[email protected] - Password:
001658
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Gemstones
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
tammyweb1
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
96garish98$
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
broncos1!
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
Sultan10
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
gra8675lee
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
dreamer1981
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
shaunasboo$
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
iDznwwY0WAi
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
West7621
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Jburton12
Extracted
Credentials
Protocol: smtp- Host:
mail.mothradio.com - Port:
587 - Username:
[email protected] - Password:
the72zoo
Extracted
Credentials
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
9390bLU
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
elephant12
Extracted
Credentials
Protocol: smtp- Host:
smtp.mundialrsp.com.br - Port:
587 - Username:
[email protected] - Password:
3587658
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
ra1499!
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Skibarge12!
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
drex3392
Extracted
Credentials
Protocol: smtp- Host:
mail.nextlevelny.com - Port:
587 - Username:
[email protected] - Password:
Z00ropa1
Extracted
Credentials
Protocol: smtp- Host:
mail.ya.toshin-et.co.jp - Port:
587 - Username:
[email protected] - Password:
aa0225
Extracted
Credentials
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
bdrr6045
Targets
-
-
Target
SecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exe
-
Size
1.7MB
-
MD5
e2df3d65784e6202d297bec31d1dfaa1
-
SHA1
a74be156066f49f56bd5835e35210591b7010634
-
SHA256
c539384c0034cc40b226df8cf1354eb264c0e48e722fdd44205ce6783122dba8
-
SHA512
3e311421b7bd8db2ed11fa3bd6406d96a6506b96c54dcf8ab0ea5b95d208dbb124e3372a7be39e42f25f2c2cf59a35888d489c2a107377b831c470bde8f35dfc
-
SSDEEP
49152:BGZgyO3gUhNuZ+gw5N2W4FCcDK5juYWwb4EOpRpOm:Qw3gCNTph4rwq+
Score10/10-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Systembc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Contacts a large (1502) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-