General
-
Target
03928844ee5058406b76bd8a059162e54f7666fdef5a9b77872cfa761850c01a
-
Size
361KB
-
Sample
220521-bchvwabfg8
-
MD5
ea624d631da0dd4963d9bf543b5984f9
-
SHA1
c40e1c8d3771df35f423a8bc17e73235baeccbe3
-
SHA256
03928844ee5058406b76bd8a059162e54f7666fdef5a9b77872cfa761850c01a
-
SHA512
b0882d32cb9e768b1e2552a408a8691a47bc4112a735bb56aee08570ba6492960e6872e84e3e03178df4bdb2f939fff8ff6735c0d62d6ad47e90a6128b336dee
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.12:1985
127.0.0.1:1985
ff4d9886-469d-4a6e-b614-34a3ff25f594
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-08T18:05:52.885964536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
Kdott
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ff4d9886-469d-4a6e-b614-34a3ff25f594
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.12
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
CONTRACT PMA1911003.exe
-
Size
403KB
-
MD5
2fd93ad03836ad7288534d0171c6eea6
-
SHA1
34e25f06c5d2a5cb2376d1dc48d031d6da8ce5f1
-
SHA256
12e1a02b8865ab79bb33133254b35fb4d4be1936ce6e7ec69e4bfbb25872f716
-
SHA512
f5c4a33518dbccb5393f21a301b7c3bbc6dc474b6221e808931ba22c77512b281f4ac2c06a5665ca974f8192fed008dfdc02bd2a307227191e6ceb021327ac9f
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-