nanocore | e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b | Triage

Submit
Reports

Overview

overview

Static

static

8

Purchase O...21.xls

windows7_x64

Purchase O...21.xls

windows10_x64

Sharing

General

Target

Purchase OrderDated19032021.xls
Size

81KB
Sample

210322-r5jek2vn12
MD5

1a49fe1a9c135ccd9c9f2d9cf395f378
SHA1

24d6ab599cef554a8e8e6b2e3abffb7072e6e1db
SHA256

e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
SHA512

9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3

Score

10^/10

nanocore keylogger macro macro_on_action spyware stealer trojan

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

Purchase OrderDated19032021.xls

Resource

win7v20201028

nanocore keylogger spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Purchase OrderDated19032021.xls

Resource

win10v20201028

nanocore keylogger spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.130:2364

mydnsnanocore123.ddns.net:2364

Mutex

af625c00-d1f5-4435-80be-9f676efc59dc

Attributes

activate_away_mode
true
backup_connection_host
mydnsnanocore123.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-27T15:43:00.135192036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2364
default_group
17-03-2021NANO
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
af625c00-d1f5-4435-80be-9f676efc59dc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.140.53.130
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Purchase OrderDated19032021.xls
- Size
  
  81KB
- MD5
  
  1a49fe1a9c135ccd9c9f2d9cf395f378
- SHA1
  
  24d6ab599cef554a8e8e6b2e3abffb7072e6e1db
- SHA256
  
  e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
- SHA512
  
  9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3
Score

10^/10

nanocore keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

nanocorekeyloggerspywarestealertrojan

behavioral2

nanocorekeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy