General
-
Target
17844b8e81e8b70e0baa19712c07e4db339c4410cf8f513750a5af94d8f8165d
-
Size
256KB
-
Sample
220521-pyr8bsgbh8
-
MD5
e0fa84acbae816df1726c35499bdb105
-
SHA1
fe3742114fe56e578861cc92208c94ca5a172cd8
-
SHA256
17844b8e81e8b70e0baa19712c07e4db339c4410cf8f513750a5af94d8f8165d
-
SHA512
4228dd138a7296633b1871f972a72ca2638e0d39bceb2780b1d5e6df7407ad252dfba4351a3e2ac255e109fcffa42b0533c5d9c5f418a99e15295e24e0588731
Malware Config
Extracted
nanocore
1.2.2.0
91.193.75.228:4540
127.0.0.1:4540
2f0ee585-e6d3-4398-a06b-4f15250fb773
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-21T18:05:11.253241836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4540
-
default_group
haha
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2f0ee585-e6d3-4398-a06b-4f15250fb773
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
91.193.75.228
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
PO.exe
-
Size
292KB
-
MD5
b51c6b42fbe1c750f7dd6ea1aa326a3b
-
SHA1
6e455e9c20411ef787b1a912ef92f0a5bac027f3
-
SHA256
5d91a0233b2cd95d7a40c235dd6ab58d92c2b68447ce6920253db1c3100817ce
-
SHA512
a299271633a7bf63feb28cfbdff07f881afe688030bf32b5da85fab537b9db68479901a5784a9981b204fe6e786413131d8d52e3529a26dfab89ea10ac6419e8
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-