nanocore | 9161ed38d16be56e3242e33c3ccccad63f206db7a44e172163916322de79bd65 | Triage

Sharing

General

Target

New-Order-List-_-Specification.zip
Size

1.2MB
Sample

211014-h29s8agddn
MD5

cf71051dc29747c297ed5b80167a64bb
SHA1

8cb79a71cc683007430be4008c0b140a87acd486
SHA256

9161ed38d16be56e3242e33c3ccccad63f206db7a44e172163916322de79bd65
SHA512

edb28465070163a4f2f12373c3b91a6a33c8bd3e2bc5e1a90317d92a82ab7b852dd3cd7778dcc0e09b214dc407a9ce8294f415892cfedcca2200f17dc77d324e

Score

10^/10

nanocore remcos october-$$$$keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

OCTOBER-$$$$

C2

mgc0147.hopto.org:2930

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-3MPDYA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

remcos

Botnet

OCTOBER-$$$$

C2

mgc0147.hopto.org:2930

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-3MPDYA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  New Order List & Specification.scr
- Size
  
  1.3MB
- MD5
  
  39f59475d4b4672638a90ac2e475cd90
- SHA1
  
  0fdabe47559fab6484f383fab08a451be9879f65
- SHA256
  
  13a65e23f4c45234d2e73ce746b29a13b10df6f5a7508087029432aa62d458c5
- SHA512
  
  f26355f9da0afa11fcc8782bad79c293735ba7a099f54b9bd60195122f9e7687ac322f93eba5d0caa7c0f2d49e7a4ce4f464bbb6cf08efb71e0cc998511b8b9d
Score

10^/10

nanocore remcos october-$$$$keylogger persistence rat spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreremcosoctober-$$$$keyloggerpersistenceratspywarestealertrojan

behavioral2

nanocoreremcosoctober-$$$$keyloggerpersistenceratspywarestealertrojan