nanocore

General

Target

FINAL INVOICE.doc
Size

662KB
Sample

210713-ar1ay5ffxs
MD5

1f5d7335c8fb08f1685c0a03bef319c7
SHA1

c437b8bd154196fbb466b3380010c00931888df3
SHA256

c8c027d89dffe9c38eeca218fe9400bb6a28970c22dce6f7b05ceb72bf5d221d
SHA512

0bcdd2aa38a2a5407e858d64a43fd7b9d27861dfbb4c7e5c1777ad310b1290dab22c6843cd6c100401aed1b13cba8d7affee925abc1bc6b0ff7c2baca4090b10

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://freebeeskatobi.ydns.eu/kat1.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

zzeroirt.duckdns.org:4948

hirtoruew.duckdns.org:4948

Mutex

213f8d87-634f-49a2-b68e-7c41f3bee6d5

Attributes

activate_away_mode
true
backup_connection_host
hirtoruew.duckdns.org
backup_dns_server
hirtoruew.duckdns.org
buffer_size
65535
build_time
2021-04-05T13:34:58.963300136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4948
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
213f8d87-634f-49a2-b68e-7c41f3bee6d5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
zzeroirt.duckdns.org
primary_dns_server
zzeroirt.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

warzonerat

C2

sdafsdffssffs.ydns.eu:6703

Targets

- Target
  
  FINAL INVOICE.doc
- Size
  
  662KB
- MD5
  
  1f5d7335c8fb08f1685c0a03bef319c7
- SHA1
  
  c437b8bd154196fbb466b3380010c00931888df3
- SHA256
  
  c8c027d89dffe9c38eeca218fe9400bb6a28970c22dce6f7b05ceb72bf5d221d
- SHA512
  
  0bcdd2aa38a2a5407e858d64a43fd7b9d27861dfbb4c7e5c1777ad310b1290dab22c6843cd6c100401aed1b13cba8d7affee925abc1bc6b0ff7c2baca4090b10
Score

10^/10

nanocore warzonerat evasion infostealer keylogger persistence rat spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1