nanocore | a019d69d5d9c1785aaf4a66574d7bfad67352692f10b1431101a437f1897037a | Triage

Sharing

General

Target

a019d69d5d9c1785aaf4a66574d7bfad67352692f10b1431101a437f1897037a
Size

1.2MB
Sample

220520-2sl6caahhj
MD5

c3a109db61a463afa825ad39607d73a0
SHA1

abd7e61611412be7dbd6f038c07051730ef64154
SHA256

a019d69d5d9c1785aaf4a66574d7bfad67352692f10b1431101a437f1897037a
SHA512

71969965b5aa567d493d176b57ad8ce1ec02a4f55e039a49cf179df577235ae0b3d54215a8d4aab3b29fbde28cd4ffb9105e1851a4211339606a41d3ef1aa71f

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

u852117.nvpn.to:5638

Mutex

c20191a5-cd52-4887-8771-2d1dca5667b7

Attributes

activate_away_mode
true
backup_connection_host
u852117.nvpn.to
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-19T15:09:07.734275836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5638
default_group
BEGINS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c20191a5-cd52-4887-8771-2d1dca5667b7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
u852117.nvpn.to
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  PAYMENT.EXE
- Size
  
  257KB
- MD5
  
  64cdb9571a5bcc21cecfae8df3a4312a
- SHA1
  
  32dd2730e8af9476bc88a0620657f9d9970a7680
- SHA256
  
  3da452ae8e1e1feb7546b7ff0dedecab241b19a26ff2fd4f693de266286747cc
- SHA512
  
  feabee621b79bccc3d1dd97555bd6864ac1d5c28d19124e7ab72fad1300541e11256b7547905e1ac71d48880f1738762a0567543ecf2479e03c102346ad3adcc
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojan

behavioral2

nanocoreevasionkeyloggerspywarestealertrojan