General
-
Target
BloodFMx64x.exe
-
Size
21.9MB
-
Sample
240708-xfyamatapr
-
MD5
702ab1cadcca9c85d9d3e577d28371c6
-
SHA1
606addfb7b10515f41e61e5832fdf45abc483bee
-
SHA256
9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6
-
SHA512
7f4304ff36f1a5c9302ecd67d9bc1b3b9e3e15733819d904642856d2b740b827abb8cff7368f3c99e74520bf87fc247297bf6f4b97443a4ac5100ceb9142ce79
-
SSDEEP
393216:iu7L/sQ1DKmr2pu0tTtdQuslRl99oWOv+9ge6DRXAbejH:iCL0Q1DKmr2puI5dQuqDorvSghRwbO
Malware Config
Extracted
nanocore
1.2.2.0
45.74.8.132:1604
127.0.0.1:1604
mygabs.ddns.net:1337
127.0.0.1:1337
f8d99e2f-2572-4d85-92e4-cf383d156342
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-03-05T17:57:06.415874336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f8d99e2f-2572-4d85-92e4-cf383d156342
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
45.74.8.132
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
BloodFMx64x.exe
-
Size
21.9MB
-
MD5
702ab1cadcca9c85d9d3e577d28371c6
-
SHA1
606addfb7b10515f41e61e5832fdf45abc483bee
-
SHA256
9f8c98828eecab0beeb2f6db642a2820ba10160379663756cc7723d7df1f7de6
-
SHA512
7f4304ff36f1a5c9302ecd67d9bc1b3b9e3e15733819d904642856d2b740b827abb8cff7368f3c99e74520bf87fc247297bf6f4b97443a4ac5100ceb9142ce79
-
SSDEEP
393216:iu7L/sQ1DKmr2pu0tTtdQuslRl99oWOv+9ge6DRXAbejH:iCL0Q1DKmr2puI5dQuqDorvSghRwbO
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1