General
-
Target
97e5f9b35e1063aeb38fab2b2f808ed777604138a7ca2772b040110fffe20a72
-
Size
316KB
-
Sample
220521-cype8ahgdq
-
MD5
ce528994e3ef90ec050a630d700863cd
-
SHA1
134874f93ee1856a2ec74912fd070b3429a45f00
-
SHA256
97e5f9b35e1063aeb38fab2b2f808ed777604138a7ca2772b040110fffe20a72
-
SHA512
f801efeb07ab664e16c948d2ff9536bed8d12631e84f9bc8254d7bad6bfc9ebf80d032ddff3ed810a49515d11331d0ed5256cec6956e9e3a9c29e98f85b83e9c
Static task
static1
Behavioral task
behavioral1
Sample
PostNL klant verzendinformatie document doc.exe
Resource
win7-20220414-en
Malware Config
Extracted
nanocore
1.2.2.0
postnl.duckdns.org:1969
127.0.0.1:1969
03803fb4-9846-4772-b30e-fac43bb55ddb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-27T07:08:14.039616336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1969
-
default_group
POSTNL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
03803fb4-9846-4772-b30e-fac43bb55ddb
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
postnl.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
PostNL klant verzendinformatie document doc.exe
-
Size
500KB
-
MD5
96197942f6e4fb122810a1188781d9a1
-
SHA1
a19f727211c5120a482af60dfca7042f181f5e3a
-
SHA256
04d57be00e1edddcfd5cd6088b4eec44591c6f0a5f9e6a13b9f90e66a24ccc25
-
SHA512
4c4ab690187abfa8b68641dbe02038d91ec56a9898a69a65709cea7d86cc984df9ef1f7d6658d7f3b0fecd3931bccdf14d828ee09b50b54cb32105a32009f45d
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-