Overview

overview

10

Static

static

ZFE8ZFED.exe

windows7_x64

10

ZFE8ZFED.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    984728dca6dd3d654ed7c9cb141bc6f11a92b9fee7872b75bd5fd370475c6ec4

  • Size

    1.2MB

  • Sample

    220521-ac6fhaaaf2

  • MD5

    5dce75665913214a2b79c5f00fc15d02

  • SHA1

    458bd211437eaf4a625fbef4c6c7c1d676014dbb

  • SHA256

    984728dca6dd3d654ed7c9cb141bc6f11a92b9fee7872b75bd5fd370475c6ec4

  • SHA512

    9d116b62a25ce3692a949e827ad221d3bcd5418769fa0244fcd844f4f669847ea0cacfca154bf9778d76d5e05bc36bea00d276b241fbf0c61f1f2dead69279e3

Score
10/10
nanocoreevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

osharay.ddns.net:49291

127.0.0.1:49291
Mutex

e44f7ace-2a43-4abd-852f-0d029d25e336

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-03-26T12:50:12.399676336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    49291

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e44f7ace-2a43-4abd-852f-0d029d25e336

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    osharay.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      ZFE8ZFED.EXE

    • Size

      363KB

    • MD5

      a95d2f1d08441c3fb0cba884f8daaa39

    • SHA1

      14a46985fccf6beeab446a24313a545e83413f4d

    • SHA256

      eeb8c3abc5285adfd129d20f321f2502d1125f0a0131644fe82c931cc2a5183b

    • SHA512

      b4fb4b42de18fe0a5daa0ddd5a683edb2e909837f5ca2eebd14ebf3f732411ba375efa59dae94bbd619ec44ca7c5c3655fa30ab5032cc599661da79a33f1d17b

    Score
    10/10
    nanocoreevasionkeyloggerrezer0spywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks