General
-
Target
55e719d9b93567139ed676f4fd2af8ed3ca1ab85667d182f30d028cd3ad41104
-
Size
289KB
-
Sample
220521-b129escgh7
-
MD5
4e3ab4dbf1b4fea0f7a188260a124428
-
SHA1
02fd0c6281ee6d42fe93168c4e8a6982d0a51605
-
SHA256
55e719d9b93567139ed676f4fd2af8ed3ca1ab85667d182f30d028cd3ad41104
-
SHA512
5a767a2c6285209d3773d280edabe40e3b20ac93e585067be2e7dc1a1305fb737ede774d281ac29d840dbdd31a821468793598a373080ff96824164d019f451e
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
185.19.85.133:9995
127.0.0.1:9995
eb071d45-47d5-4ca7-a489-0f12cddc481f
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-07T00:46:43.694111036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9995
-
default_group
BLESSED
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
eb071d45-47d5-4ca7-a489-0f12cddc481f
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.19.85.133
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Order.exe
-
Size
373KB
-
MD5
77dcd9d7e5f3849d177ec4bf54e8be1d
-
SHA1
ab9579e68dbce78f60833665ee2ece5c737a8c4d
-
SHA256
c43d85dc319a3e0e9faeb9aa8967ab597ce9c7d76d78ad5d7cea309b73a7b653
-
SHA512
d5ac72a5c709d06aa72c9bed9b690555e6e8f6c7395bbda994ab43cb0eb0a086013b23e585d6d17acaed21250b5bd73465da537aa5b17bddea99c8fd83d24743
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-