General
-
Target
f3db7b79339e45d38f658e0b5a44fa1ac7badd7e1cd8f5aadc7ed5b5e85c8467
-
Size
790KB
-
Sample
210727-b6r12mrm6n
-
MD5
b57e20fb9948a2eda5112567e08ded62
-
SHA1
58da2b6633a474420939bf0a8a13642f996d5a18
-
SHA256
f3db7b79339e45d38f658e0b5a44fa1ac7badd7e1cd8f5aadc7ed5b5e85c8467
-
SHA512
e3b1233749688549f00db1b05617bb8f8b714b65d39677881d57cd46f17cec8db3d5b65e5664f4c2a6a592151a7a4acc7954ee3145b6910f9dd3fbb8c182b381
Static task
static1
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.120:1604
joseedward5001.ddns.net:1604
0d56db32-3eda-4dbe-b516-9d15e051f958
-
activate_away_mode
true
-
backup_connection_host
joseedward5001.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-07T02:45:36.242219236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
new lease
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0d56db32-3eda-4dbe-b516-9d15e051f958
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.120
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
ORDER TSA-A090621B MV Hyundai Viet LTD.exe
-
Size
1.6MB
-
MD5
8e5a20788e97f7c76224b87e82d5aca6
-
SHA1
f2d8724bf3ce016c3fb12a5d08af26d4a0919c9a
-
SHA256
c837280f88c94c57bc0378d783e465f47043ff97db1cacbcac28819176f5e9fd
-
SHA512
155d27703177f6267452ff192d08badea82d950aed383e9a7f0e11a925294c2e34ed297c1977ae9534e6cca8d67b11efe48151236417ca9004a4665965a9d5ef
-
suricata: ET MALWARE Possible NanoCore C2 60B
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-