Extracted

• • Target

    gktpohoadkth.exe

  • Size

    429KB

  • MD5

    1508a5d67bf9beb497b97cc5eff91c5e

  • SHA1

    69c93e632d29fda0f093eacdadd434066f307343

  • SHA256

    ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7

  • SHA512

    3e36d4dd681e1950fdac02f48d9e07b1419b5240b007e9595bba6a5ac1c6f3171db495359e7794b40bcd697c50ab4ebd4010a7c95317859ef6ec11d7ce34b06e

  • SSDEEP

    12288:C+6Bg1Wu+6LQxbcjTqCyeC2PMI7uB7RTx:CH6L/IGMOuV

  Score

  10^/10

  systembcdiscoverypersistencetrojan

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc

  • Systembc family

    systembc

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2