nanocore | 71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5 | Triage

Sharing

General

Target

71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5
Size

563KB
Sample

220521-amk8badddk
MD5

929ddd432949a0809329d50896cbd7cc
SHA1

01f6eb2d1a897dbc346cbb713df2dbb85918bf28
SHA256

71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5
SHA512

5e144052f47b123457d346f35af3227546dd9e619f951762ec8184c6edafb2a63e02002be3bcb225a5f72131bbc43909d556b8caa5224e3d9c659d27738d665e

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

harolds.ooguy.com:6051

harold.2waky.com:6051

Mutex

79556390-7150-4551-9067-10cd33e6482e

Attributes

activate_away_mode
true
backup_connection_host
harold.2waky.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-28T08:36:06.976087436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6051
default_group
Acandy
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
79556390-7150-4551-9067-10cd33e6482e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
harolds.ooguy.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5
- Size
  
  563KB
- MD5
  
  929ddd432949a0809329d50896cbd7cc
- SHA1
  
  01f6eb2d1a897dbc346cbb713df2dbb85918bf28
- SHA256
  
  71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5
- SHA512
  
  5e144052f47b123457d346f35af3227546dd9e619f951762ec8184c6edafb2a63e02002be3bcb225a5f72131bbc43909d556b8caa5224e3d9c659d27738d665e
Score

3^/10
behavioral1 behavioral2
- Target
  
  Payment Confirmation.scr
- Size
  
  813KB
- MD5
  
  26325d99df3eeb5f6f39f9eb45ae3bee
- SHA1
  
  54e06e4ef19e4209c023724a1863cbf752ea67f8
- SHA256
  
  b8d17b00725d58556c468f413f0825f5ac4fe19734898645d9db2f2f0be5e1af
- SHA512
  
  8803e0ed820fa0916324169e5ab7f32bc88c4bf0a5b8b400efe5bec8acf1ebad7aec3238713d9be6adbbb59d4652cac4caae281ebc25dc9fa0a864bc3b62a407
Score

10^/10

nanocore keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

nanocorekeyloggerspywarestealertrojan

behavioral4

nanocorekeyloggerspywarestealertrojan