General
-
Target
426e26f5cb3eaa5a20be10ade7ec3a2a9fa4a768756928e7e660a6665a6ad163
-
Size
322KB
-
Sample
220521-ax6l1aahg9
-
MD5
802dec378a0ac90393e1470d1da60bb9
-
SHA1
78f34ea297f410c593209951623339c7f1dc9387
-
SHA256
426e26f5cb3eaa5a20be10ade7ec3a2a9fa4a768756928e7e660a6665a6ad163
-
SHA512
53d50864791b5e5c0d25a3bea6f1ea62398bb624c0e238b1286a4926502607dab8de06526a0507d058250df348001526ff61fb40d774e1c0ead0e1a83b253422
Static task
static1
Behavioral task
behavioral1
Sample
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
postnl.duckdns.org:1969
127.0.0.1:1969
03803fb4-9846-4772-b30e-fac43bb55ddb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-27T07:08:14.039616336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1969
-
default_group
POSTNL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
03803fb4-9846-4772-b30e-fac43bb55ddb
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
postnl.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
-
Size
489KB
-
MD5
10862bd9538040e6ce9d8c093d9e5abc
-
SHA1
96be2d74c24287941e0c683e920cdff848efa2c1
-
SHA256
430a7e324ab686d71a38548850bb90d018b0d7aec9cdbccb7289beb4d09f5a9f
-
SHA512
bbb44029fb769fb266b3e42b7e0e0fed6365c98ec61b0049fd1533f93eff691f3bedcf9ce48f816d7f39bfdc31146d2ca4916f6c5f3be2c3da63ed18504a0d99
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-