General
-
Target
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876
-
Size
945KB
-
Sample
221126-gdyklsac31
-
MD5
6cf70668721637d6095a3cfba9ad7d53
-
SHA1
c79ebef27047001b79977813536f5568c18b399c
-
SHA256
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876
-
SHA512
bdc951481c4612e015ce104ec4b8774109e948d887eddab4c766f405de73342648cd1bbcf9f2e61e7005bf955ad839238ff6e4883a2889df507968070addc4a2
-
SSDEEP
24576:2YF8QRDrhPkHoKZxIQsysXUccszHbvEelUCDei:98QDiPZxImUG4zvUp
Static task
static1
Behavioral task
behavioral1
Sample
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
nanocore
1.2.1.1
jesusfountain.redirectme.net:54557
93e4b02c-abdc-4e66-ae1c-828d68851ee9
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-10-21T10:21:59.185241736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54557
-
default_group
Project School
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
93e4b02c-abdc-4e66-ae1c-828d68851ee9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jesusfountain.redirectme.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Targets
-
-
Target
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876
-
Size
945KB
-
MD5
6cf70668721637d6095a3cfba9ad7d53
-
SHA1
c79ebef27047001b79977813536f5568c18b399c
-
SHA256
b1c3531e42693813af3374a936bebb27826eb5d9e58e30a3cdfe0a7786d37876
-
SHA512
bdc951481c4612e015ce104ec4b8774109e948d887eddab4c766f405de73342648cd1bbcf9f2e61e7005bf955ad839238ff6e4883a2889df507968070addc4a2
-
SSDEEP
24576:2YF8QRDrhPkHoKZxIQsysXUccszHbvEelUCDei:98QDiPZxImUG4zvUp
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-