General
-
Target
5888570a4481de3013ba35108c229255e430972dac28c4ef535b4bf24bcc8925
-
Size
1.9MB
-
Sample
221128-sdtr7sga4w
-
MD5
b4d0ee296eef25fa161168ec278e5223
-
SHA1
74e42f729202eef75a2aa74476f6e442bcdee314
-
SHA256
5888570a4481de3013ba35108c229255e430972dac28c4ef535b4bf24bcc8925
-
SHA512
77372b55d9b58aaa8bec7e33223485e468f6fe1f96383fe5c1a131e03b4a607fcc0eeed71ac27ad35707790a2da885115bc7f8cba9677ccad53681eb756b1312
-
SSDEEP
49152:QVg5tQ7aim3ZL8i1yJxWwn2SDgv0S3Evq5:yg56c3ZD1yJx120v
Static task
static1
Behavioral task
behavioral1
Sample
5888570a4481de3013ba35108c229255e430972dac28c4ef535b4bf24bcc8925.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
svr.fspy.cf:59281
c1bf9821-e6f8-48d7-9afc-2708b8b56a12
-
activate_away_mode
true
-
backup_connection_host
svr.fspy.cf
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2014-12-14T15:37:42.904174436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
59281
-
default_group
Auto CD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c1bf9821-e6f8-48d7-9afc-2708b8b56a12
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
svr.fspy.cf
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
5888570a4481de3013ba35108c229255e430972dac28c4ef535b4bf24bcc8925
-
Size
1.9MB
-
MD5
b4d0ee296eef25fa161168ec278e5223
-
SHA1
74e42f729202eef75a2aa74476f6e442bcdee314
-
SHA256
5888570a4481de3013ba35108c229255e430972dac28c4ef535b4bf24bcc8925
-
SHA512
77372b55d9b58aaa8bec7e33223485e468f6fe1f96383fe5c1a131e03b4a607fcc0eeed71ac27ad35707790a2da885115bc7f8cba9677ccad53681eb756b1312
-
SSDEEP
49152:QVg5tQ7aim3ZL8i1yJxWwn2SDgv0S3Evq5:yg56c3ZD1yJx120v
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-