Overview

overview

10

Static

static

phorncha l...0 .exe

windows7_x64

10

phorncha l...0 .exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    83df743a1cc34b1e556293d1e23996ee1035e8ba78c3c2c4827e59bf491e1732

  • Size

    291KB

  • Sample

    220521-b1t8tafhcq

  • MD5

    7526a715a850893158a905de3615ebb3

  • SHA1

    95a796bd5e6150441d6afe02ec9169d22b0393f6

  • SHA256

    83df743a1cc34b1e556293d1e23996ee1035e8ba78c3c2c4827e59bf491e1732

  • SHA512

    ed4c98a1baaa9f8567d4919887a5fc4a50479d9e0a320a9bd772b78e3c5ba0c3237c43fb2a4bdc896a85af1a8733a375ec1e6e7d099b6dca1e7c9fd0dddfedbb

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.29.248:10011

Mutex

74e4977e-acd0-4290-a1f2-d0337618afe8

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.244.29.248

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-01-26T12:59:50.454534936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    10011

  • default_group

    Default p2kenneth222

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    74e4977e-acd0-4290-a1f2-d0337618afe8

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    185.244.29.248

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      phorncha ltd 05-11-2020 .exe

    • Size

      375KB

    • MD5

      dba3c8e9dde9dd0df134d08192e2d917

    • SHA1

      9c5e12ba2d662d0c237a134277d4f1a2c42edccf

    • SHA256

      080a6fbf91637b683b6f363092f9b7d6e75b8442c6f9df32ffea0788e16fafdf

    • SHA512

      84a51f030207ea62c81f666ae0798db32460f5a10875f80a17d642a9400b04a96b62dc7f8d37bcdc40b184698713129e3b423ad81ff2febd13399d7ed24d4274

    Score
    10/10
    nanocoreevasionkeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks