nanocore

General

Target

RFQ- 28300NB.rar
Size

867KB
Sample

210926-vrzxgsfahl
MD5

98561333445f07a87c3a3eee856770c4
SHA1

bafd8f2d73139cbf5f9065f60a109897b11878f7
SHA256

e5b4f0d80455434c5454347cce00f9f5367a19e9af19731ad04630e1c5cb5440
SHA512

22b274e6a61ea0e90bc35eed2a542d8f6871f9b01ec9c43d83c6097f2e2b755d681528943f59110a0fa50ea81144e03fc3bfb4a673d94f3c46b0dbb540e0b7d0

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

membership.myddns.rocks:5191

Targets

- Target
  
  RFQ- 28300NB.scr
- Size
  
  999KB
- MD5
  
  c10afb1541eafecc15387c8c0f3db1c9
- SHA1
  
  7cd612bfed4ba6350c192142d55392ac8aa5a0a5
- SHA256
  
  89416f4296bcee3a4230b3845988246b0dc489376238061d26e4b75e6ecf972e
- SHA512
  
  d94a03f9281c34bbe563d44c920a5188b18ed4aee44fc507e9c706930f93e52f6beccec7fe3462b07d88994f70dddbfd0b17c8aed2a0c3613a35378cfe411b34
Score

10^/10

nanocore warzonerat infostealer keylogger persistence rat spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT Payload
  rat
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

WarzoneRat, AveMaria

Warzone RAT Payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2