Overview

overview

10

Static

static

c4371a89eb...62.exe

windows7_x64

10

c4371a89eb...62.exe

windows10_x64

10

Resubmissions

13-11-2020 18:24

201113-1d5vy7sr4x 10

28-10-2020 21:01

201028-k18bhfdkza 10

28-10-2020 10:34

201028-twfmbkjlps 10

25-10-2020 18:33

201025-5etksa6e82 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4371a89eba27d03a0facf6f3aa71f62

  • Size

    12.0MB

  • Sample

    201113-1d5vy7sr4x

  • MD5

    c4371a89eba27d03a0facf6f3aa71f62

  • SHA1

    87eb5e8e94792c8bbb4fa045ee29fb3d657b84be

  • SHA256

    e16cd7a30e51317fc6508e2b0877b227eff115813a950d90b7ceb3e71af8a6c3

  • SHA512

    d527c8355d5f723c4970dbf1e4d225d18075ac74d7d62a55ca102f1619ad149cfe433e68228368ea313518e09f15db34f9b8c1805075d1e7bbcd7e6983f5b9e2

Score
10/10
nanocorenetwirebotnetdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

roxy.is-gone.com:54984

dico.is-a-designer.com:54984
Mutex

7b40c14b-fcd0-4f81-8bc6-e2122ef14c91

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    dico.is-a-designer.com

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-23T23:29:15.495388036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    w-13052020

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    7b40c14b-fcd0-4f81-8bc6-e2122ef14c91

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    roxy.is-gone.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      c4371a89eba27d03a0facf6f3aa71f62

    • Size

      12.0MB

    • MD5

      c4371a89eba27d03a0facf6f3aa71f62

    • SHA1

      87eb5e8e94792c8bbb4fa045ee29fb3d657b84be

    • SHA256

      e16cd7a30e51317fc6508e2b0877b227eff115813a950d90b7ceb3e71af8a6c3

    • SHA512

      d527c8355d5f723c4970dbf1e4d225d18075ac74d7d62a55ca102f1619ad149cfe433e68228368ea313518e09f15db34f9b8c1805075d1e7bbcd7e6983f5b9e2

    Score
    10/10
    nanocorenetwirebotnetdiscoveryevasionkeyloggerpersistenceratspywarestealertrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies security service

      evasion

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Modifies service

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

3
T1031

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks