General
-
Target
56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
-
Size
4.3MB
-
Sample
220725-fn5w1afhbq
-
MD5
5b2f4e07e883c0b165daaba2127a589f
-
SHA1
c9edf782418140d7720f58d996dbcaeec965ee50
-
SHA256
56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
-
SHA512
80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010
Static task
static1
Behavioral task
behavioral1
Sample
56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f.exe
Resource
win7-20220718-en
Malware Config
Extracted
nanocore
1.2.2.0
109.230.215.181:1604
127.0.0.1:1604
7fa6e9c8-20ea-4047-9f02-2251015e4ea4
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-03-10T10:37:21.189476636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
crypt authorized
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7fa6e9c8-20ea-4047-9f02-2251015e4ea4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
109.230.215.181
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
quasar
1.4.0.0
public
109.230.215.181:4782
wrZ9bZkif6pZsmpibj
-
encryption_key
OAlqwcOC5GAUaDQi56x4
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RDPBlox Agent
-
subdirectory
SubDir
Targets
-
-
Target
56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
-
Size
4.3MB
-
MD5
5b2f4e07e883c0b165daaba2127a589f
-
SHA1
c9edf782418140d7720f58d996dbcaeec965ee50
-
SHA256
56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
-
SHA512
80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010
-
Modifies visiblity of hidden/system files in Explorer
-
Quasar payload
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-