Extracted

• • Target

    2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a

  • Size

    1.1MB

  • MD5

    01f89dd05027734cdf71f9923179a57a

  • SHA1

    f6cbdf1f40fcc5349ff58245cb7d14d5a5113ac0

  • SHA256

    2497c8d6afda40002e0c177faa936b73c5ebf2c6e4f4bac482f67a7946e6218a

  • SHA512

    36328e775c5cb77663e8daec6f2d72356146e17201c0340624007f78de4c0ebb20cb4a282dc324893d8088463403a26a6fd2447f4c949d7fe0de00650d2c9bf1

  • SSDEEP

    24576:+4j4a/KxTMoQvaBtu+vOQst38HZjbxiOJx7nTlbPujvb+nayzg8vk862s3vX/1rw:+WCGjL+2P8H5b0GnTlLYYDzgI961vXVk

  Score

  10^/10

  systembcevasiontrojan

  • Modifies security service

    evasion

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Stops running service(s)

    evasion

  • Deletes itself

  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2