General
-
Target
e68fb6d42a42740b6d82c87d6c711a0b1d3ce9df155d9228793d601effafada6
-
Size
1.1MB
-
Sample
221128-tmb47abe9z
-
MD5
7872635b4f27d3a4e8644c0ac2d5c709
-
SHA1
23659e094134fb1e1880128dd0dbdefc906c8a7d
-
SHA256
e68fb6d42a42740b6d82c87d6c711a0b1d3ce9df155d9228793d601effafada6
-
SHA512
4f1d527df9cce33ce10a0a0cb94d9e18e88f578684f4f5a4505bf90dcc91d22225cf37e2ac3a16f77df6dba038afb731573d80e8e269d7387353506c44d74c43
-
SSDEEP
24576:5t24wg7O4LmlIYFp/2WZ+fNOlJaTtfHd0aR+OSgLphaZ3etWrX:FeaoxpZ4NKJM2n8hm3vX
Static task
static1
Behavioral task
behavioral1
Sample
e68fb6d42a42740b6d82c87d6c711a0b1d3ce9df155d9228793d601effafada6.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.1.1
kelbhie.duckdns.org:5555
4f1583aa-6415-4260-8840-9e9676138612
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-11-29T05:30:14.715834136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5555
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4f1583aa-6415-4260-8840-9e9676138612
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kelbhie.duckdns.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Targets
-
-
Target
e68fb6d42a42740b6d82c87d6c711a0b1d3ce9df155d9228793d601effafada6
-
Size
1.1MB
-
MD5
7872635b4f27d3a4e8644c0ac2d5c709
-
SHA1
23659e094134fb1e1880128dd0dbdefc906c8a7d
-
SHA256
e68fb6d42a42740b6d82c87d6c711a0b1d3ce9df155d9228793d601effafada6
-
SHA512
4f1d527df9cce33ce10a0a0cb94d9e18e88f578684f4f5a4505bf90dcc91d22225cf37e2ac3a16f77df6dba038afb731573d80e8e269d7387353506c44d74c43
-
SSDEEP
24576:5t24wg7O4LmlIYFp/2WZ+fNOlJaTtfHd0aR+OSgLphaZ3etWrX:FeaoxpZ4NKJM2n8hm3vX
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-