General
-
Target
ee8c46367596e91ab823d0d17b94ffd7094c1f513f4ca75936036f4980421276
-
Size
498KB
-
Sample
220521-cbm9msgfcj
-
MD5
d490159ddfb2b2a6c11890965aeedacf
-
SHA1
cbe102549d3e3b78faffa151b02f71c21c78be70
-
SHA256
ee8c46367596e91ab823d0d17b94ffd7094c1f513f4ca75936036f4980421276
-
SHA512
a61ae8c8e1faffc1faa8d2f4167a68ec4db23deccb81996be19ec508dfc8fda712aecdeb06367123671b0329c72321ebe1f7ee29bc32f96db72c14cd028c04e6
Static task
static1
Behavioral task
behavioral1
Sample
Quotation form.pdf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation form.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
RFQ#Inquiry 215642.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
saocris.ddns.net:1930
4b2770ba-c0aa-4a47-80a1-1ecd8b69e945
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-21T14:35:52.193847036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1930
-
default_group
My Time
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4b2770ba-c0aa-4a47-80a1-1ecd8b69e945
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
saocris.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Quotation form.pdf
-
Size
139KB
-
MD5
0c1e75343142d64861a78788d219dbec
-
SHA1
fbf65394563d1260c3062fa3878235a946cd7a0f
-
SHA256
d971a4adac16461ee6a619d09f59b4f6219346efb5dfba456659abd02d50b295
-
SHA512
008f4fd22a75214983f14b5515d14c16c5dd400f1f8cb8daf74066a6aa59f0bf7478a0ca33a976988bfc48d821db0228ef5f5993ae6e45e9cfff68aacdd1a35b
Score1/10 -
-
-
Target
RFQ#Inquiry 215642.exe
-
Size
450KB
-
MD5
577af04414ea52d9d179b90bc48470a5
-
SHA1
e9f4092c288d5a491528472e5c7b7610a25a200d
-
SHA256
7c1982f88aa59a9e220b92e280e4fe1d47ef06214aa5784572f688419e3e7ec4
-
SHA512
707d21a257070403b168816aadbf2c1263821ddf3cefcc9f29013602bee59eb8fae423430dfac819aed3161b9b792df7733b3f87adfbe471dbaf670a1a8ce79f
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-