General
-
Target
4a1115d9a10e4c820fba3baa552e97bb50785a5f7d3fd1a0e72baa189855aa91.zip
-
Size
92KB
-
Sample
221010-tpbanscec4
-
MD5
af8b55fc3b2cdafaf121674c148388e2
-
SHA1
6b6da8ec50090b2e0ceb2f4a45cac078ca793c19
-
SHA256
70a93613417666b6510d74c43274e63eaf29fa1e382abf8f21f4b011fbb07440
-
SHA512
d261e3745e3aa742c234912d0cd6a49eeea01f6e02679d058f3b7fb695fddf35bb86a052d9e69da36bc8bf9ac4ded81e12646a1dfa3a61670b350237c7868a3a
-
SSDEEP
1536:+Af2BGqBYfm6QXQMyNkW5GTFItCrfSviPVIMSxRy5ReygF2nShgUAx+TubxPimbL:WtYfm6QXQMKk7TAAPVk2KonSaSTwxDL
Static task
static1
Behavioral task
behavioral1
Sample
Shipment receipt.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
ratagain.gleeze.com:5050
ratagainbk.gleeze.com:5050
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
-
activate_away_mode
true
-
backup_connection_host
ratagainbk.gleeze.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-01-24T09:08:07.151828536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
April
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ratagain.gleeze.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
Shipment receipt.exe
-
Size
231KB
-
MD5
8af8789eac67de3b398fd91caad301c7
-
SHA1
46a834f5f2a07eefec376232b8785187c46bab5d
-
SHA256
0439c7d1f0b9dd75617a6cd78c086139feccd6a2eb91d43e3d09e6194f14bebd
-
SHA512
831f6d22a66a272cbe603d638a9e02685b587ce97ef7730f930c72a70f68a285afa005d090d950797bcb0c4fbb45d6a6f5401d29f7fd2037670086f656ffe7da
-
SSDEEP
3072:NW3q9x4CuQqhAp05FIGRnNadfS5AmqKnoeN:NmqvyhAp05FnNKmqKoe
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-