Overview

overview

10

Static

static

8

Order23032021.xls

windows7_x64

10

Order23032021.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order23032021.xls

  • Size

    90KB

  • Sample

    210323-z53386x38e

  • MD5

    db196958b90a5716d64cf12e3ca92cc2

  • SHA1

    b51c1611a227de1fac3d020259306157e1dacc2f

  • SHA256

    5184caaa51f3f661060731ef43e83f7d1978779ef224a83e819558f925eee73e

  • SHA512

    e1733e996cc12679ff1d6d613ef8fed86e26a0c6864dec9156c6d946d16bbc7cd5e0870c964dda34b9ff65ca76ba1fb184773ab0abad7db7024ba590e7152646

Score
10/10
nanocorekeyloggermacromacro_on_actionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/823801311480250391/823801423296331796/d2aVbt2JS4su0p6.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.130:2364

mydnsnanocore123.ddns.net:2364

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mydnsnanocore123.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-12-27T15:43:00.135192036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2364

  • default_group

    17-03-2021NANO

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    af625c00-d1f5-4435-80be-9f676efc59dc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    185.140.53.130

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      Order23032021.xls

    • Size

      90KB

    • MD5

      db196958b90a5716d64cf12e3ca92cc2

    • SHA1

      b51c1611a227de1fac3d020259306157e1dacc2f

    • SHA256

      5184caaa51f3f661060731ef43e83f7d1978779ef224a83e819558f925eee73e

    • SHA512

      e1733e996cc12679ff1d6d613ef8fed86e26a0c6864dec9156c6d946d16bbc7cd5e0870c964dda34b9ff65ca76ba1fb184773ab0abad7db7024ba590e7152646

    Score
    10/10
    nanocorekeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Tasks