General
-
Target
628997d79a873d507ff722975be64f427582c08b6cc8f661c3aefe0de6a911af
-
Size
444KB
-
Sample
220521-aqrt9safc8
-
MD5
17dbb59b746073085492237980b456eb
-
SHA1
11ac71e179aafe7175f2f82893617be6aa77d102
-
SHA256
628997d79a873d507ff722975be64f427582c08b6cc8f661c3aefe0de6a911af
-
SHA512
97826733d80cec5cab005e0de6da625aee3e217e068901ebce4bb3b90c51f393243d904c56ef7bd4c479e97aadfe4e553f69a3f38d701bb88559a8c8016cfc87
Static task
static1
Behavioral task
behavioral1
Sample
fwfuJFhRr1BqCWi.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.51:1985
127.0.0.1:1985
05567b5c-42af-4a71-996e-6f0227b9f4ae
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-09T11:35:52.395864036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
Sureboy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
05567b5c-42af-4a71-996e-6f0227b9f4ae
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.51
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
fwfuJFhRr1BqCWi.exe
-
Size
589KB
-
MD5
372d925870b10617a1bafa396d646bd9
-
SHA1
647431572f8119f401092f8874b087d1fa468ac4
-
SHA256
5693fc15c7c4843819dd2e7d768f7ad32c031ca0a112cf604d38319d00e7a811
-
SHA512
5f632d330eab155ecda41becc25fd6be13ebe1d5da7e6d13f7b421abd223f2a78e08b33b9ee008953a5676f15a81e62031bbfa69e93e7c7949670d28025d3d75
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-