General
-
Target
BloodFMx64x.exe
-
Size
21.9MB
-
Sample
240708-w2l9tascqp
-
MD5
702ab1cadcca9c85d9d3e577d28371c6
-
SHA1
606addfb7b10515f41e61e5832fdf45abc483bee
-
SHA256
9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6
-
SHA512
7f4304ff36f1a5c9302ecd67d9bc1b3b9e3e15733819d904642856d2b740b827abb8cff7368f3c99e74520bf87fc247297bf6f4b97443a4ac5100ceb9142ce79
-
SSDEEP
393216:iu7L/sQ1DKmr2pu0tTtdQuslRl99oWOv+9ge6DRXAbejH:iCL0Q1DKmr2puI5dQuqDorvSghRwbO
Behavioral task
behavioral1
Sample
BloodFMx64x.exe
Resource
win10-20240611-en
Behavioral task
behavioral2
Sample
Creal.pyc
Resource
win10-20240404-en
Malware Config
Extracted
nanocore
1.2.2.0
45.74.8.132:1604
127.0.0.1:1604
f8d99e2f-2572-4d85-92e4-cf383d156342
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-03-05T17:57:06.415874336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f8d99e2f-2572-4d85-92e4-cf383d156342
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
45.74.8.132
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
BloodFMx64x.exe
-
Size
21.9MB
-
MD5
702ab1cadcca9c85d9d3e577d28371c6
-
SHA1
606addfb7b10515f41e61e5832fdf45abc483bee
-
SHA256
9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6
-
SHA512
7f4304ff36f1a5c9302ecd67d9bc1b3b9e3e15733819d904642856d2b740b827abb8cff7368f3c99e74520bf87fc247297bf6f4b97443a4ac5100ceb9142ce79
-
SSDEEP
393216:iu7L/sQ1DKmr2pu0tTtdQuslRl99oWOv+9ge6DRXAbejH:iCL0Q1DKmr2puI5dQuqDorvSghRwbO
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Creal.pyc
-
Size
29KB
-
MD5
813e50b885df76bc8bd3af306f010d7a
-
SHA1
58a6091cf4915b90baf4625bc43738314d8bab60
-
SHA256
de51d25a95492d641355c32ee9ce0950500695aabbee0351960bca4aaef13a51
-
SHA512
28e67885b5440285a6984e924cb06beb26421d3d5b73571c8004be08bcb392d606d04c5ec8d8e5c6d461c5560299ddb278d3d0daf45febcbd09084abcedb5d87
-
SSDEEP
768:3+lVSjnrr2VsfNEiyAuMMIfznTZMdpV7ISrx5HQtvK17Cvr:30SDrfe3uzTZMB76K176r
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1