nanocore

General

Target

DHL-#AWB130501923096PDF.exe
Size

712KB
Sample

210126-rb17c7elp6
MD5

13e8443bf19ea588b2c7a77251746fe8
SHA1

62ae36fa6f7d5a21e026a8bbebed94bac81384e6
SHA256

1372611a62207431985055ea8ecb4121b3dfb199e615102c06cc38e5aabdd65d
SHA512

0dbcf414e821c737084e2d3cc378f5e8de1920ab2d41340d5c474316a051001f71cb47f0733cb588923d885455137c2b36993caecb160333bc23e539b9db6de9

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.162.88.26:20911

fenixalec.ddns.net:20911

Mutex

4c844ad7-de78-4c04-815b-d468ebb89811

Attributes

activate_away_mode
true
backup_connection_host
fenixalec.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-10-25T21:31:56.793896536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
20911
default_group
2021 GREATEST
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4c844ad7-de78-4c04-815b-d468ebb89811
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.162.88.26
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  DHL-#AWB130501923096PDF.exe
- Size
  
  712KB
- MD5
  
  13e8443bf19ea588b2c7a77251746fe8
- SHA1
  
  62ae36fa6f7d5a21e026a8bbebed94bac81384e6
- SHA256
  
  1372611a62207431985055ea8ecb4121b3dfb199e615102c06cc38e5aabdd65d
- SHA512
  
  0dbcf414e821c737084e2d3cc378f5e8de1920ab2d41340d5c474316a051001f71cb47f0733cb588923d885455137c2b36993caecb160333bc23e539b9db6de9
Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates physical storage devices
  Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
  ransomware
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Enumerates physical storage devices

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2