General
-
Target
692fb9c530fccb14cd56dec0ba71ff1be0018b28d81a3dee76a9ca788bc6465c
-
Size
359KB
-
Sample
220520-29rr6agea8
-
MD5
478bd783f6a64dc5011991184e4e4d75
-
SHA1
4ce443fb223eb9c3c9d928750b8543564f86ca1f
-
SHA256
692fb9c530fccb14cd56dec0ba71ff1be0018b28d81a3dee76a9ca788bc6465c
-
SHA512
1abc0d73adeeac15500956780ffb217e2b58d230f789c0ed286f1744c78353efc52d5a391dadf116807ca528060b214979319427218bac7a6be2e74f26590a71
Static task
static1
Behavioral task
behavioral1
Sample
RF172474228ES.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.9:9124
127.0.0.1:9124
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-05T19:51:22.629259936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9124
-
default_group
Wish
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
RF172474228ES.exe
-
Size
506KB
-
MD5
8bbd8695bdfb7fb7438053fcdb6d79a4
-
SHA1
202966c54b72362c2e8c18e09d368eedd7dcc62a
-
SHA256
d278d26f9221b6542223942ce10c1a6c34c8a550c0d8e0d724798cadaf160bfd
-
SHA512
716cfd55b155014338fa2ff99e9c999a98163aa0977d1a274e3ca9505aa681509dccfe3853809c297140f58d9e8c6c669865bf285a0aabf552fe4b246feb849c
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-