General
-
Target
40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792
-
Size
871KB
-
Sample
220521-xcjm3abdf9
-
MD5
5bbaebfc9e1f12fb2b1c173681436e43
-
SHA1
36f2830e64e19d726f8ff7f92c2710efc7bd4e3b
-
SHA256
40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792
-
SHA512
4e29213a950a61e1fd5ca9cab1f7a8b7905010a2eb57a130b4aeda2a9d0ecc9904fe3da3215728a776b83013df92bd8ca78d40afbbd1ba1aa412863736ca7a49
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.12:1985
127.0.0.1:1985
1b68869e-dd8c-4eea-829f-d7272a505d3a
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-17T10:03:49.054089636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
kdott
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1b68869e-dd8c-4eea-829f-d7272a505d3a
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.12
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
00008442786.exe
-
Size
1.3MB
-
MD5
b979af7040bd69e7f91b3b4de4e4c3ff
-
SHA1
eeb5e20cf6258c68c9be89dc81683f5bf57a3380
-
SHA256
5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244
-
SHA512
fdb5a12cbb102f355619761942a28e7b31e9a26ded8fc1cacdd3437d6ccc182e11eb795bdfd472746a968a1ee9be824c5cc44541eb2f51ba1fa68a6ee745e31b
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-