General
-
Target
Wextract.exe
-
Size
20.1MB
-
Sample
211011-tpzm9shfcl
-
MD5
656bb45286bc93310190d6caa88f2eae
-
SHA1
b0ccc9e3fa93502e2ab59dc4cdb0b5cc548343ae
-
SHA256
df148cda088c6063ca4e903fa59e453f371b721e4d058b47605a800630e2988e
-
SHA512
cb6d49aca40b8b0b6f6e5114036c38c119ca4b13a9f6842c9255a6fc24c7a5d73faf7fe4980f438ced9396ed7721208702450c776fccae4cf1a579ed9b69c2c1
Malware Config
Extracted
nanocore
1.2.2.0
8888.tshacks.online:8888
26bfcaea-dd1b-4a7f-9639-a7cb51f083fe
-
activate_away_mode
true
-
backup_connection_host
8888.tshacks.online
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-01-22T13:16:46.778489036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8888
-
default_group
8888
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
26bfcaea-dd1b-4a7f-9639-a7cb51f083fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
8888.tshacks.online
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Wextract.exe
-
Size
20.1MB
-
MD5
656bb45286bc93310190d6caa88f2eae
-
SHA1
b0ccc9e3fa93502e2ab59dc4cdb0b5cc548343ae
-
SHA256
df148cda088c6063ca4e903fa59e453f371b721e4d058b47605a800630e2988e
-
SHA512
cb6d49aca40b8b0b6f6e5114036c38c119ca4b13a9f6842c9255a6fc24c7a5d73faf7fe4980f438ced9396ed7721208702450c776fccae4cf1a579ed9b69c2c1
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-