General
-
Target
a440839332ab9d93644827ad59b21ff2.exe
-
Size
933KB
-
Sample
220906-g4bhrsgcd4
-
MD5
a440839332ab9d93644827ad59b21ff2
-
SHA1
d26b7c87b08e46c567323e3f001a51e9d4b2927e
-
SHA256
40163bbe666ea73c550fff89312262d3307ccfdde0d5fec95eae5deb1a1a6243
-
SHA512
1c74859a877881624945a0f8372d074ba0f39cd4bbebbe25b4887306383f664bf3298ed970f2a9100ff91d62792d2c6b206417c2d4ede99eb20d27b4cf978627
-
SSDEEP
24576:bZ5vT5H5dGICDJpXSYOcqFnN9Ir1mcXY+mzo3bv:l5bp5dGICHSYpSS1XlmzM
Static task
static1
Behavioral task
behavioral1
Sample
a440839332ab9d93644827ad59b21ff2.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
welu111.ddns.net:2404
127.0.0.1:2404
fc32f95c-2910-433f-b101-8576e258a05d
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-06-11T12:29:33.575754536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
2404
-
default_group
Cass
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fc32f95c-2910-433f-b101-8576e258a05d
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
welu111.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
a440839332ab9d93644827ad59b21ff2.exe
-
Size
933KB
-
MD5
a440839332ab9d93644827ad59b21ff2
-
SHA1
d26b7c87b08e46c567323e3f001a51e9d4b2927e
-
SHA256
40163bbe666ea73c550fff89312262d3307ccfdde0d5fec95eae5deb1a1a6243
-
SHA512
1c74859a877881624945a0f8372d074ba0f39cd4bbebbe25b4887306383f664bf3298ed970f2a9100ff91d62792d2c6b206417c2d4ede99eb20d27b4cf978627
-
SSDEEP
24576:bZ5vT5H5dGICDJpXSYOcqFnN9Ir1mcXY+mzo3bv:l5bp5dGICHSYpSS1XlmzM
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-