nanocore | a8c3d37226a81628b4647e17a2c8fed507505a2854ec3f7b7a28be5ecdae42f9 | Triage

Sharing

General

Target

a8c3d37226a81628b4647e17a2c8fed507505a2854ec3f7b7a28be5ecdae42f9
Size

370KB
Sample

220520-31227shhc3
MD5

f6e251278680f0f2b52e9eda6edf2137
SHA1

23d79b14f6d8687c9c3ce95dbc05f28054b309ae
SHA256

a8c3d37226a81628b4647e17a2c8fed507505a2854ec3f7b7a28be5ecdae42f9
SHA512

14c1a1cffe3414d33c60a10bd70437f0ab30f82017ad845f67bd2b65370bc88fa697c1691f792b280cb92428d89fa30600b191f3b1dcc2f3f6fe07199ce0f8f0

Score

10^/10

nanocore evasion keylogger spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

duckmeat.duckdns.org:5626

127.0.0.1:5626

Mutex

823e9a21-7dbc-4097-b6d6-cdb0b9b1e84c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-16T12:28:57.030902636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
5626
default_group
More
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
823e9a21-7dbc-4097-b6d6-cdb0b9b1e84c
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
duckmeat.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Información confidencial de entrega Chile AD0AhFnh2020.exe
- Size
  
  395KB
- MD5
  
  91525a4a2e396ba3f30e5b583ce3a7ad
- SHA1
  
  385952cc0201d064322179a2c25cdd1e80a5acd8
- SHA256
  
  f728252169da3a6dc69cd201835230c017ce37c9a9cd06c1e7daa3153ebc6f80
- SHA512
  
  40078e0b83b24fb85a2d88174118f1c29280ad0736d36785acdcb4ebd8688a0cadf28d809fb358229c3ad9e5640a93c2ba3f058773f6aa8a3e93c94f4cec6fe0
Score

10^/10

nanocore evasion keylogger spyware stealer suricata trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- suricata: ET MALWARE Possible NanoCore C2 60B
  suricata: ET MALWARE Possible NanoCore C2 60B
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealersuricatatrojan

behavioral2

nanocoreevasionkeyloggerspywarestealersuricatatrojan