Overview

overview

10

Static

static

BFSV-1F(N)...SI.exe

windows7_x64

10

BFSV-1F(N)...SI.exe

windows10_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-01-2021 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BFSV-1F(N)_1B-8B_ANSI.exe

  • Size

    338KB

  • MD5

    36f13aad903e851544fe137feca3435b

  • SHA1

    776d3d7e39a8b3e72e2e9b5c36a615e3157d05ad

  • SHA256

    41617ac4431c229ba27bf94617b465309e7f502ae5088cd12ee571a0428ea120

  • SHA512

    77a68e34a1bbf2360f8473368a0e3fd9c54567477a29561980851b82bd8ac1655919a109d6d4456a67bd633ef436fcf4697fc77d17e03e701d36ee7b82f296e6

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

45.138.49.96:9999

127.0.0.1:9999
Mutex

c9506c35-7fc9-4302-a06c-3e362d7043e7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-09T09:41:16.640477036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9999

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c9506c35-7fc9-4302-a06c-3e362d7043e7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    45.138.49.96

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • Nirsoft 3 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe
    "C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe
      "C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe"
      2⤵
        PID:1988
      • C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe
        "C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe
          "C:\Users\Admin\AppData\Local\Temp\BFSV-1F(N)_1B-8B_ANSI.exe"
          3⤵
          • Checks whether UAC is enabled
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1572
          • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
            "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\lu41aavc.fhc"
            4⤵
              PID:604
            • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
              "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\u2vcumcm.w2j"
              4⤵
                PID:1344

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scripting

        1
        T1064

        Persistence

        Privilege Escalation

        Defense Evasion

        Scripting

        1
        T1064

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\lu41aavc.fhc
          MD5

          69b2a2e17e78d24abee9f1de2f04811a

          SHA1

          d19c109704e83876ab3527457f9418a7d053aa33

          SHA256

          1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

          SHA512

          eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\u2vcumcm.w2j
          MD5

          919e671c3d5959a91ef2d4c377d2b2ff

          SHA1

          b1202b19512bbd390d3d5164792501c87bb42c41

          SHA256

          d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651

          SHA512

          f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

          Download Submit
        • memory/604-25-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/604-27-0x0000000000400000-0x000000000041B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/604-26-0x0000000000411654-mapping.dmp
          Download
        • memory/816-32-0x000007FEF6F80000-0x000007FEF71FA000-memory.dmp
          Filesize

          2.5MB

          Download
        • memory/1344-31-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/1344-29-0x0000000000400000-0x0000000000453000-memory.dmp
          Filesize

          332KB

          Download
        • memory/1344-30-0x0000000000442628-mapping.dmp
          Download
        • memory/1572-17-0x0000000000DB0000-0x0000000000DB7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1572-23-0x00000000010F0000-0x0000000001119000-memory.dmp
          Filesize

          164KB

          Download
        • memory/1572-14-0x0000000000B70000-0x0000000000B85000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1572-15-0x0000000000BD0000-0x0000000000BD6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1572-16-0x0000000000BE0000-0x0000000000BEC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/1572-4-0x0000000000400000-0x0000000000448000-memory.dmp
          Filesize

          288KB

          Download
        • memory/1572-18-0x0000000000DC0000-0x0000000000DC6000-memory.dmp
          Filesize

          24KB

          Download
        • memory/1572-19-0x0000000000DD0000-0x0000000000DDD000-memory.dmp
          Filesize

          52KB

          Download
        • memory/1572-20-0x0000000000DE0000-0x0000000000DE9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/1572-21-0x0000000000F10000-0x0000000000F1F000-memory.dmp
          Filesize

          60KB

          Download
        • memory/1572-22-0x0000000000F20000-0x0000000000F2A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/1572-13-0x0000000000AD0000-0x0000000000ADD000-memory.dmp
          Filesize

          52KB

          Download
        • memory/1572-24-0x0000000000F40000-0x0000000000F4F000-memory.dmp
          Filesize

          60KB

          Download
        • memory/1572-12-0x00000000009C0000-0x00000000009C3000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1572-11-0x0000000000A60000-0x0000000000A79000-memory.dmp
          Filesize

          100KB

          Download
        • memory/1572-10-0x00000000009B0000-0x00000000009B5000-memory.dmp
          Filesize

          20KB

          Download
        • memory/1572-8-0x0000000000210000-0x0000000000243000-memory.dmp
          Filesize

          204KB

          Download
        • memory/1572-7-0x0000000073F50000-0x000000007463E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1572-6-0x0000000000400000-0x0000000000448000-memory.dmp
          Filesize

          288KB

          Download
        • memory/1572-5-0x000000000040188B-mapping.dmp
          Download
        • memory/1660-2-0x0000000000080000-0x0000000000097000-memory.dmp
          Filesize

          92KB

          Download
        • memory/1972-3-0x0000000000000000-mapping.dmp
          Download