General
-
Target
Documents.tar.lz
-
Size
804KB
-
Sample
230328-r9rgaabf63
-
MD5
a3b931cf0c0e4232a64f842ec134f495
-
SHA1
6943080fd418b8ed710ff3c8f5d88bc24afcca1b
-
SHA256
482eb10475109e17ac11cfb60a2c79555a3e3b095d1113456d798ef000714acd
-
SHA512
317f9c0ed9e43c922022108d148211cc6ed4aca2479fcfa6c177eefa7f6c87a3c568e33f171821eca73973226d71ceb8318d8fdd4b398476a56131f15ec52adb
-
SSDEEP
12288:spmXhQLER1MovsmJEYFAOI6C91YKqm1YHOuqx35+uGO7X0Y+7/FZm4GgJ2:CmaEnqYFAP6CvAm1YFq5+ui7Ig2
Static task
static1
Behavioral task
behavioral1
Sample
YWjESQ2siMOeTGY.exe
Resource
win7-20230220-en
Malware Config
Extracted
nanocore
1.2.2.0
win2020.zapto.org:10123
34fa688f-c4d0-419c-ba07-1926952dc2c2
-
activate_away_mode
true
-
backup_connection_host
win2020.zapto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-01-06T07:29:23.375362136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
10123
-
default_group
built
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
34fa688f-c4d0-419c-ba07-1926952dc2c2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
win2020.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
YWjESQ2siMOeTGY.exe
-
Size
1.2MB
-
MD5
2c9847c76f51b2c6a2fe2abe4a9c91f3
-
SHA1
e3d0facab5b7671ccdac2476a699ab2f817b4479
-
SHA256
a8953f2dca5171e14663eefb973c1793decce1dcd6c7baa63081a3d681dbc1c1
-
SHA512
a85c40c7033a7262cf063f38e845d223701b86d155ed29d12e353487384660dbe06d379de6741e778a939ef47ad8370b809f060108b42967394f8aaa7cd45b73
-
SSDEEP
24576:9A5IeDQd/XJwtr4Xqfbd3TFZNoDoAyfiF1geG68Nq9H9Z2839Y2YXC8bx7wwI3n2:25/QR5wtr4XEbvA+iF1geG68Nq9Hr286
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-