General
-
Target
af059f0fcfc5e3cf09f73efae089b33f7e51f9860282b4fa7a08b03f339bdab7
-
Size
232KB
-
Sample
220520-3zycmacffk
-
MD5
7a2d6aeabad40457f127d0c30666eea3
-
SHA1
122a3bcec5e3e5fe7d27908fdc7a91fc523b09bb
-
SHA256
af059f0fcfc5e3cf09f73efae089b33f7e51f9860282b4fa7a08b03f339bdab7
-
SHA512
e5d82b261aa85b1d2f11905d629bcfa4e848bb6d3d6b005f91057966e95331f5cfb5ce79aaa08a5589d81fc61e8a036d142497bc0091d4defb3b6494415c159c
Static task
static1
Behavioral task
behavioral1
Sample
Receipt-Dhl june 2020 frieght.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
forwork61420.ddns.net:3118
forwork61420.duckdns.org:3118
713ef177-b6be-471f-adec-854b1cda1062
-
activate_away_mode
true
-
backup_connection_host
forwork61420.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-28T15:15:12.586904536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
3118
-
default_group
TT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
713ef177-b6be-471f-adec-854b1cda1062
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
forwork61420.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Receipt-Dhl june 2020 frieght.exe
-
Size
322KB
-
MD5
9a976316c0f9d94fc5e82d5a0d010206
-
SHA1
0179fe95468daa9c4eb24a6704d8faeea5acc4ae
-
SHA256
86622b1479706d348299e938ab1889c02f9c33aa1c572902e43367edfbbe526c
-
SHA512
193c38232025185098fe68dac06fdee2edeb1ec1664e9b7432b7cfb0a1139de05d5f6ebc1d94a59adeb1e8446639d2a24b991a3c44ab102bbbb962ea520209cf
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-