General
-
Target
b2c04bb4-1039-4836-bca6-bd4211df1190
-
Size
524KB
-
Sample
241204-1fjzsasmfx
-
MD5
81ffddf2c1d7905204a67f6577e2dc68
-
SHA1
a89c37a3e12a46ac714887d509a1849791b4b244
-
SHA256
5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
-
SHA512
b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
-
SSDEEP
6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP
Static task
static1
Behavioral task
behavioral1
Sample
b2c04bb4-1039-4836-bca6-bd4211df1190.exe
Resource
win7-20240903-en
Malware Config
Extracted
nanocore
1.2.2.0
original-financial.gl.at.ply.gg:28916
d516db18-d565-4fff-a872-0ad0fd1f18ca
-
activate_away_mode
true
-
backup_connection_host
original-financial.gl.at.ply.gg
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-09-13T19:32:56.304391136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
28916
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d516db18-d565-4fff-a872-0ad0fd1f18ca
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
b2c04bb4-1039-4836-bca6-bd4211df1190
-
Size
524KB
-
MD5
81ffddf2c1d7905204a67f6577e2dc68
-
SHA1
a89c37a3e12a46ac714887d509a1849791b4b244
-
SHA256
5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7
-
SHA512
b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a
-
SSDEEP
6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP
-
Nanocore family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-