General
-
Target
bda8b5ce5d38f005652df75f85c448d3027dde0955e529a28369d4e9b9c22c3a
-
Size
853KB
-
Sample
221128-xxybysab32
-
MD5
16bd4ad24f1abdb13de7161ca3cb85b7
-
SHA1
91963af6d3bd7ece5215a9a7dc9d51fd994340a3
-
SHA256
bda8b5ce5d38f005652df75f85c448d3027dde0955e529a28369d4e9b9c22c3a
-
SHA512
541818cab732d222a547494118d7fdced704449032492481d7b0a6fa469dfdedcb6ae2cf04564d5d0eb76001d7c2ada5eedceafc2befc807b6895e1354fe111d
-
SSDEEP
12288:Sru76kH+yNXi4I0+q1tRLRZFjtEDhgkQH/ePh6oTJgN/aVA78ZhK00ZdcouZAp66:SrfkH+C+chjmPh6CCRuC4sdULIBx
Static task
static1
Behavioral task
behavioral1
Sample
bda8b5ce5d38f005652df75f85c448d3027dde0955e529a28369d4e9b9c22c3a.exe
Resource
win7-20220812-en
Malware Config
Extracted
nanocore
1.2.2.0
176.31.117.22:4562
127.0.0.1:4562
f74e4b6d-6d36-40dd-9389-0244b13be035
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-12-12T18:38:05.642160236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
4562
-
default_group
Home
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f74e4b6d-6d36-40dd-9389-0244b13be035
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
176.31.117.22
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
bda8b5ce5d38f005652df75f85c448d3027dde0955e529a28369d4e9b9c22c3a
-
Size
853KB
-
MD5
16bd4ad24f1abdb13de7161ca3cb85b7
-
SHA1
91963af6d3bd7ece5215a9a7dc9d51fd994340a3
-
SHA256
bda8b5ce5d38f005652df75f85c448d3027dde0955e529a28369d4e9b9c22c3a
-
SHA512
541818cab732d222a547494118d7fdced704449032492481d7b0a6fa469dfdedcb6ae2cf04564d5d0eb76001d7c2ada5eedceafc2befc807b6895e1354fe111d
-
SSDEEP
12288:Sru76kH+yNXi4I0+q1tRLRZFjtEDhgkQH/ePh6oTJgN/aVA78ZhK00ZdcouZAp66:SrfkH+C+chjmPh6CCRuC4sdULIBx
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-