General
-
Target
fbf87baf4c0d1b80b0c21101ffcaae027e4b6c15e151a4fde333725279c9809f
-
Size
388KB
-
Sample
220521-b8f16addc5
-
MD5
b4b4c1e8f9e29071f363848386a113fd
-
SHA1
bf2ccbba65b879e19a44464b48b10aac67a5a8fc
-
SHA256
fbf87baf4c0d1b80b0c21101ffcaae027e4b6c15e151a4fde333725279c9809f
-
SHA512
00362e654fc027305d6f362b39c3425cb73eccf11498aa3a9791231a54abe731d77e986d990de55095f4a94a5a4ee0a989879bb59bd486e538934c2aa9f1857b
Malware Config
Extracted
nanocore
1.2.2.0
darlingtondc.hopto.org:1905
185.165.153.17:1905
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
activate_away_mode
true
-
backup_connection_host
185.165.153.17
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T23:32:54.424872236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1905
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
darlingtondc.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
0K408j3RN7U8UB6.exe
-
Size
444KB
-
MD5
0d2a1d6662af45ba909226b2992798b0
-
SHA1
40f3e3e5f00436a1f779e9eafb15bcf3c1c8ae3e
-
SHA256
358935d89163fa342e0707a3be3e844b44df91341a48dcf1c28d8b8c8424e6b5
-
SHA512
f0eed196650f254d916c2041f157788dffed25e27f76c0f043f111492e058a1a784d94c062e0c3fd39e04671ba089b99b92c2159022d90992a9eb13877fa2727
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-