nanocore | 72aa6b57a853c9e9c39833e16e5a2dca88847e27cfe10d57175990b20555a894 | Triage

Sharing

General

Target

PO-13916654658867654342003.z
Size

305KB
Sample

211021-d7bfdshgf5
MD5

b29af063776d1bb6382261b5ea4344ed
SHA1

e72eb9aac567ec0927aae4ef870867fe11e473c8
SHA256

72aa6b57a853c9e9c39833e16e5a2dca88847e27cfe10d57175990b20555a894
SHA512

be010fe9f10365b153c91930b573965a5d579bc08f2e10dd4797860091e0297eff285767270e722ac14adae17660bd4eb6ba85d9b964e824f911094d577c8509

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.157.160.229:60006

neoncorex.duckdns.org:60006

Mutex

1d5c6a3e-60c1-4684-aee7-fbdc0338bfa0

Attributes

activate_away_mode
true
backup_connection_host
neoncorex.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-29T18:43:26.772131836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
60006
default_group
NANOSHIELD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1d5c6a3e-60c1-4684-aee7-fbdc0338bfa0
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.157.160.229
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  PO-13916654658867654342003.exe
- Size
  
  574KB
- MD5
  
  7ae160bfca29e0c7c3fb4a98a29b32d7
- SHA1
  
  49d5ca7f388c754d7f8a2723f154cf04a849487c
- SHA256
  
  f18fe72903701dbb74e8c8baadac476f740cd30fb6643e79a2320d168e7835c6
- SHA512
  
  1f7fe7428879702e4cac93e0fbd7075dd6839835b877bf075f5538c2593fee51352ca15bec7e811b64a8349d03669b11b1ae38933a071d6fb6c9655b77452713
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojan

behavioral2

nanocoreevasionkeyloggerspywarestealertrojan