General
-
Target
XtasyExecutorV1.0.exe
-
Size
203KB
-
Sample
241217-ybe4xswrbj
-
MD5
b8fb078ab0ff9ca107d79112a1a56255
-
SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e
-
SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37
-
SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9
-
SSDEEP
3072:AzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIseXxluxTkQ0yyMH+elFEGxdb8:ALV6Bta6dtJmakIM5NhkQl3EGrbmMZ3k
Malware Config
Extracted
nanocore
1.2.2.0
science-attract.gl.at.ply.gg:13548
127.0.0.1:13548
23abf985-e664-478c-a2fc-af36e970435f
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-09-28T21:17:34.799997936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
13548
-
default_group
Hacker team
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
23abf985-e664-478c-a2fc-af36e970435f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
science-attract.gl.at.ply.gg
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
XtasyExecutorV1.0.exe
-
Size
203KB
-
MD5
b8fb078ab0ff9ca107d79112a1a56255
-
SHA1
cebcb36d55bb63688bd9ffbf7d372ba41b0e959e
-
SHA256
2d73aa44284a435c2cc78b6a80a4326f42a28dfa598e5dfd20ba3f612afdcd37
-
SHA512
1a817eb1043122eb183821558cd9541f4a34f76551f52040f8c2e3caf8dd082a88d80799be868bbb84fdf339cb462a63bb14bceae869345485b565a19d01f1f9
-
SSDEEP
3072:AzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIseXxluxTkQ0yyMH+elFEGxdb8:ALV6Bta6dtJmakIM5NhkQl3EGrbmMZ3k
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies security service
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Modifies Security services
Modifies the startup behavior of a security service.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2