General
-
Target
ecf3642a88835c8504b8cb1c2eed3cad75ed3a9994783dda31fd562fd214233c
-
Size
618KB
-
Sample
220521-bma8sacbb6
-
MD5
70719dfa46f47ae766eb1e5d1d12886e
-
SHA1
be10005317c5f9fad937298316f402f7766da76f
-
SHA256
ecf3642a88835c8504b8cb1c2eed3cad75ed3a9994783dda31fd562fd214233c
-
SHA512
4323959c67acbb884e826f362a99c449352c0145836dde2c23fad7ba088cc56fba87eb39dd3980e9ae9d624da499320aa746f16f95f81935b4f9044b86504783
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.pdf.scr
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
harolds.ooguy.com:6051
harold.2waky.com:6051
79556390-7150-4551-9067-10cd33e6482e
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-28T08:36:06.976087436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
Acandy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
79556390-7150-4551-9067-10cd33e6482e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harolds.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Proof of payment.pdf.scr
-
Size
928KB
-
MD5
bb2fd8efc3e3e7912c54ed4e6d3cc980
-
SHA1
72b072267288f131e0c54128ee88e2d2a8d6e064
-
SHA256
e3cfd3d090923b878c13c989b6b7c65e8ee788b70dcce22db4f6798754082eef
-
SHA512
c3e2d55bccd8eb2186f37ff55b00c8ba8fb232e15eb4031f14a1e748c5797232f1ebed5d8feb0a5586636db2f82569130b8db3606dfccf8af8a1360d62cd4734
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-