General
-
Target
Payment Order.rar
-
Size
624KB
-
Sample
221004-g6x5jsfgbk
-
MD5
3d05e3e71a4c2f3666e19be38eb5987d
-
SHA1
1a10c8882cd4f2a72a4d7a50ff774c012c4901e8
-
SHA256
0a8def931d63d0725952e49aca0a2b1e95ee51d6ec8f0dbd8aa6e8145e3ee7f0
-
SHA512
c4036e2c5b9017eb26ad5fe0b03b77f12fdc2386029be17b3da35b518cc9ff7ba14c58288de221348f6f801724cb3f206f1bcad640ea25c363462043d41640b3
-
SSDEEP
12288:zeg/s4JwSHlFKp6WXuo+IpxtlVP0WPm3elE53OD/MdQ0G5CCqM2lfGFK:zecJwf/FddPm3p5KMjGNF2n
Static task
static1
Behavioral task
behavioral1
Sample
Payment Order.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
tochi.ddns.net:1177
127.0.0.1:1177
5640475c-30f6-4f19-b86f-d53c3910bce7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2022-07-02T08:25:26.509790436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1177
-
default_group
money transfer
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5640475c-30f6-4f19-b86f-d53c3910bce7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tochi.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Payment Order.exe
-
Size
1.0MB
-
MD5
11711e45cabcdda6408597a44517c9aa
-
SHA1
087d435882f0fca5b85ab34d981814ea8e5f4bad
-
SHA256
73e0cfe89cdb7759de8338d0174f721d8ae60539e5ea8f5236548de0513b5054
-
SHA512
9694cacd6759dfba4fec7cfdd6bdabc6f22edf3d1702dfe61dd4afbda3f1e2e56986873153977f28b29bbde75274231a2e4b555b94e13157bcf84085ea0c63e6
-
SSDEEP
12288:W8qK4HTNcD9wIZbySXVNrY9oJ2UfDRqKgUm4KR2YQqwMd1ndT:WMD9jXXRDcym4g2YQ6vT
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-