General
-
Target
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b.exe
-
Size
768KB
-
Sample
240524-ys5qxahc9x
-
MD5
6f91cb1add0cd6ab354136abea8aeaf6
-
SHA1
32aa99408052c3d02f5ae7e3d7febe8b8efa1d31
-
SHA256
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b
-
SHA512
40c24da1054bfcd310f66ab85d130f7a489efc3bcad96e323448408455064f749642b3210a2a9601f1cb79d5d2ce585717713463fcfd5400f1ec16f6d674e927
-
SSDEEP
6144:k9yTy7uBrWgbDM1SWF3BrKFo9djMwaKmejO0PfUR/45YW4oZ1:9u7u0hV3Ldj8KmejFa/W4oZ1
Behavioral task
behavioral1
Sample
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b.exe
Resource
win7-20231129-en
Malware Config
Extracted
nanocore
1.2.2.0
ayewhatsgoodbrolmao.duckdns.org:1689
ed58a5b4-4802-46f0-9695-e5f1b9681af3
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-05-03T02:59:00.930314836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1689
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ed58a5b4-4802-46f0-9695-e5f1b9681af3
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ayewhatsgoodbrolmao.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b.exe
-
Size
768KB
-
MD5
6f91cb1add0cd6ab354136abea8aeaf6
-
SHA1
32aa99408052c3d02f5ae7e3d7febe8b8efa1d31
-
SHA256
d98b360e720475ce31f7c4166e070aebeabdbc93030638471bd46830e357ac2b
-
SHA512
40c24da1054bfcd310f66ab85d130f7a489efc3bcad96e323448408455064f749642b3210a2a9601f1cb79d5d2ce585717713463fcfd5400f1ec16f6d674e927
-
SSDEEP
6144:k9yTy7uBrWgbDM1SWF3BrKFo9djMwaKmejO0PfUR/45YW4oZ1:9u7u0hV3Ldj8KmejFa/W4oZ1
-
Detect Neshta payload
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-