General
-
Target
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8
-
Size
1.0MB
-
Sample
221001-26x5rscfcj
-
MD5
02bf5a10f714bc458c2f72606e60f120
-
SHA1
3bdcb11ca4f88369dd0611a59c4d74a0adeb7a18
-
SHA256
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8
-
SHA512
319eaa43b97d4f0bf7dc3071a4093838503700fd7ce1b9cc9e827225b91d108bc54a699c150132f3d988df5a8bfd2dfd6542d21dec146ce5c39ce53c9fcc5d37
-
SSDEEP
12288:9tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaQluHUw5zoM5csnYT9M5:9tb20pkaCqT5TBWgNQ7aOuHj57nsM6A
Static task
static1
Behavioral task
behavioral1
Sample
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
adam150994.mooo.com:666
6b975470-a14f-4d2b-80ad-e81702c60910
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-28T03:08:37.908955436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
666
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6b975470-a14f-4d2b-80ad-e81702c60910
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
adam150994.mooo.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8
-
Size
1.0MB
-
MD5
02bf5a10f714bc458c2f72606e60f120
-
SHA1
3bdcb11ca4f88369dd0611a59c4d74a0adeb7a18
-
SHA256
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8
-
SHA512
319eaa43b97d4f0bf7dc3071a4093838503700fd7ce1b9cc9e827225b91d108bc54a699c150132f3d988df5a8bfd2dfd6542d21dec146ce5c39ce53c9fcc5d37
-
SSDEEP
12288:9tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaQluHUw5zoM5csnYT9M5:9tb20pkaCqT5TBWgNQ7aOuHj57nsM6A
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-