systembc | 6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd | Triage

Submit
Reports

Overview

overview

Static

static

36b9570a14...40.exe

windows7_x64

36b9570a14...40.exe

windows10_x64

Sharing

General

Target

36b9570a14ac21869cad456713714940
Size

144KB
Sample

210624-ebxa3dkb7n
MD5

36b9570a14ac21869cad456713714940
SHA1

17ce33e58167a089b7e4e6c49a362a23364d30de
SHA256

6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
SHA512

4af43e89ca22fd81365f6e68a1350400cc653d3d12e642ed04bceb1597be9ce89f857c851b14390b3aad3c8b89d69235cad20b8c30a8d93b74b93f6339393bd9

Score

10^/10

systembc evasion persistence spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

36b9570a14ac21869cad456713714940.exe

Resource

win7v20210410

systembc evasion persistence spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

36b9570a14ac21869cad456713714940.exe

Resource

win10v20210408

systembc evasion persistence spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

systembc

C2

65.21.93.53:4173

95.216.118.223:4173

Targets

- Target
  
  36b9570a14ac21869cad456713714940
- Size
  
  144KB
- MD5
  
  36b9570a14ac21869cad456713714940
- SHA1
  
  17ce33e58167a089b7e4e6c49a362a23364d30de
- SHA256
  
  6843226fd84ae2ce783119d4ba634e00d10dc6e5374a23d26b42cd0e7e6b18cd
- SHA512
  
  4af43e89ca22fd81365f6e68a1350400cc653d3d12e642ed04bceb1597be9ce89f857c851b14390b3aad3c8b89d69235cad20b8c30a8d93b74b93f6339393bd9
Score

10^/10

systembc evasion persistence spyware stealer trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

systembcevasionpersistencespywarestealertrojan

behavioral2

systembcevasionpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy