nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

#CHOO1UHA.iso
Size

86KB
Sample

211029-r1qhmaabhk
MD5

d0ea5ecfd59f7704114a91e85a697103
SHA1

6d8ff4e7142ba828a35365f847b72bb51890341e
SHA256

2de716414a5246e7d4f1d9679a9c5fdefd194c30807331d05798253ebceb87a2
SHA512

2c80477abd3dbae464675eacbac2ac103746c60d7dd1ea9853b07572fcbd1b06a052ff1e09df3fdb71146ed2f4c084bb72697236512bc703f85065a64c7198d8

Score

10^/10

Malware Config

Extracted

Family

vjw0rm

http://tdeasy.duckdns.org:6128

Extracted

Family

nanocore

Version

1.2.2.0

nanoboss.duckdns.org:6129

Mutex

f795cec6-1cfb-44f9-898a-e041c33422fe

Attributes

activate_away_mode
false
backup_connection_host
nanoboss.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-10T14:25:49.368918836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6129
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f795cec6-1cfb-44f9-898a-e041c33422fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nanoboss.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  #CHOO1.js
- Size
  
  17KB
- MD5
  
  fac61c5e8f3026c1a1b63c21423a2701
- SHA1
  
  c14c72c7e99a1b8166d009a89c8f6b1111a8da2a
- SHA256
  
  77307f92ac36d5dce119e092099842fedd2f37432b578914af22b7ad7c1ccf94
- SHA512
  
  19f7420a6cf00f25c75dd3205823645b2f3e0f77d8b817c9c1e22a9c36799e2efb880d26e886bbf9c7d6de413f8c5fe2ad3a88a6eb9b2761fde00506bd14a711
Score

10^/10

vjw0rm persistence trojan worm
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  #CHOO2.js
- Size
  
  7KB
- MD5
  
  4fc18805b5686d320a0ccdab8438ed7e
- SHA1
  
  afbe3e8f7448be3ace8f48f37c1524748533ed94
- SHA256
  
  7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
- SHA512
  
  9ec6470aadce9ddaebd57167658d1a8a22ddb496e452b3a4574d3c8fa8b5d643e49d96b31df64f89fe3847bc4c7be792e21f8de063be07ef3452e936931ded14
Score

10^/10

suricata nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
  suricata
- suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
  suricata
- suricata: ET MALWARE Possible NanoCore C2 60B
  suricata: ET MALWARE Possible NanoCore C2 60B
  suricata
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Vjw0rm

Blocklisted process makes network request

Drops startup file

Adds Run key to start application

suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL

suricata: ET MALWARE Possible NanoCore C2 60B

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4