General
-
Target
SecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exe
-
Size
1.7MB
-
Sample
250211-mnkz6avjhy
-
MD5
e2df3d65784e6202d297bec31d1dfaa1
-
SHA1
a74be156066f49f56bd5835e35210591b7010634
-
SHA256
c539384c0034cc40b226df8cf1354eb264c0e48e722fdd44205ce6783122dba8
-
SHA512
3e311421b7bd8db2ed11fa3bd6406d96a6506b96c54dcf8ab0ea5b95d208dbb124e3372a7be39e42f25f2c2cf59a35888d489c2a107377b831c470bde8f35dfc
-
SSDEEP
49152:BGZgyO3gUhNuZ+gw5N2W4FCcDK5juYWwb4EOpRpOm:Qw3gCNTph4rwq+
Malware Config
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
3907Sherman
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
j01120210f
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
bella12
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
Eddy2005
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
mikey143
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
oohdo1
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
cardinal.304
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
4udana
Extracted
Protocol: smtp- Host:
smtp.netzero.com - Port:
587 - Username:
[email protected] - Password:
cleopate
Extracted
Protocol: smtp- Host:
smtp.frontier.com - Port:
587 - Username:
[email protected] - Password:
skydiver1
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
Typewriter96
Extracted
Protocol: smtp- Host:
smtp.frontiernet.net - Port:
587 - Username:
[email protected] - Password:
lyrch12
Extracted
systembc
wodresomdaymomentum.org
Targets
-
-
Target
SecuriteInfo.com.Win32.SpywareX-gen.27164.12067.exe
-
Size
1.7MB
-
MD5
e2df3d65784e6202d297bec31d1dfaa1
-
SHA1
a74be156066f49f56bd5835e35210591b7010634
-
SHA256
c539384c0034cc40b226df8cf1354eb264c0e48e722fdd44205ce6783122dba8
-
SHA512
3e311421b7bd8db2ed11fa3bd6406d96a6506b96c54dcf8ab0ea5b95d208dbb124e3372a7be39e42f25f2c2cf59a35888d489c2a107377b831c470bde8f35dfc
-
SSDEEP
49152:BGZgyO3gUhNuZ+gw5N2W4FCcDK5juYWwb4EOpRpOm:Qw3gCNTph4rwq+
Score10/10-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Systembc family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Contacts a large (552) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-