General
-
Target
cd5bcc1fa279d9ecc49060a291ca60b414ccf4decbe88633b22159238c17834e
-
Size
871KB
-
Sample
221128-sdsvxaca49
-
MD5
f9a888a62c5c54338a8516428730d7f4
-
SHA1
642da4c08c157d9baa6ad79d40ff2432d7e174d9
-
SHA256
cd5bcc1fa279d9ecc49060a291ca60b414ccf4decbe88633b22159238c17834e
-
SHA512
531305795fbb608c006dfa04cd5ad16861c3a359ab805be14cc305e5861c37eeeb3d77b9ea5650137f619636c66f7378785d7c1b91a43467d017c7fab2c15def
-
SSDEEP
12288:6ulbNxAOzA4EVE/dvm4L/Nxb79U7T0hozJyyhcjs8jT:6ulxxH7GEFvmKFR7a7TrLw
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Targets
-
-
Target
cd5bcc1fa279d9ecc49060a291ca60b414ccf4decbe88633b22159238c17834e
-
Size
871KB
-
MD5
f9a888a62c5c54338a8516428730d7f4
-
SHA1
642da4c08c157d9baa6ad79d40ff2432d7e174d9
-
SHA256
cd5bcc1fa279d9ecc49060a291ca60b414ccf4decbe88633b22159238c17834e
-
SHA512
531305795fbb608c006dfa04cd5ad16861c3a359ab805be14cc305e5861c37eeeb3d77b9ea5650137f619636c66f7378785d7c1b91a43467d017c7fab2c15def
-
SSDEEP
12288:6ulbNxAOzA4EVE/dvm4L/Nxb79U7T0hozJyyhcjs8jT:6ulxxH7GEFvmKFR7a7TrLw
Score10/10-
Modifies WinLogon for persistence
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-