General
-
Target
16868e24e7d2d8465100b00d0a46e00226b584bc4f2411ff675be809d086cbe3
-
Size
405KB
-
Sample
220521-bb9bfabff7
-
MD5
c7543d2ead30eb3736848ef164e8c66e
-
SHA1
dae051153d6d2f13c8a0dfccb2d211c23d68a29b
-
SHA256
16868e24e7d2d8465100b00d0a46e00226b584bc4f2411ff675be809d086cbe3
-
SHA512
52d76d728eb30f09513e354665b22e0cf8c285c971701bbb32a2ff9652bc662bb0a472e50a1ad46a16edf4a28d0170be68c5fd2e01951a0014baf36192a297f9
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.71:1985
127.0.0.1:1985
b906c32a-7c7b-408f-aea8-c2cf051540c7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-08T07:10:15.167894836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
Cherry
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b906c32a-7c7b-408f-aea8-c2cf051540c7
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
79.134.225.71
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
LKVQYCZZkBgadMX.exe
-
Size
488KB
-
MD5
bef5cac24c190344f2bd75ae5e12b4f5
-
SHA1
99cfe77679e1e0abc487b61ac3093e1fed30a277
-
SHA256
df4ac313a1013e4111037cb09097cc4a53251d144568c8bd1fd4587cb8f7c4b4
-
SHA512
4f885b06a4d96197d4ddf79fc9019593f88d834e1afa780ed7da4d17c2ca50c244fbfb2b77f09a908c1321ec0af4d603c02a1450dd8d71aed888c1200a50059a
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-