Overview

overview

10

Static

static

Doc.exe

windows7_x64

10

Doc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d4d85233fc3fc9f41440322c310e0d4641b555836a0581affdd74b598db07f9a

  • Size

    528KB

  • Sample

    220521-chjj2adhe4

  • MD5

    563b3ecd1d843b551785ade4090ba1e3

  • SHA1

    481a343c8c9c2d990a2804d307919c62b104ca85

  • SHA256

    d4d85233fc3fc9f41440322c310e0d4641b555836a0581affdd74b598db07f9a

  • SHA512

    888530c501183eb2f3a56d3ada723d2f594951f77ed421ff1356056d794f66af318b6c0bcd0c1682eafe76ab5d96494c102afdb9464fbba24457bca618b533cf

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

172.111.188.199:8829

Mutex

ce1d7a43-a4b9-4511-9ddf-1134841f2535

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-02T10:25:40.952250336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8829

  • default_group

    Billi

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ce1d7a43-a4b9-4511-9ddf-1134841f2535

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    172.111.188.199

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      Doc.exe

    • Size

      466KB

    • MD5

      8c8511c9f1d403bc6fe92b029fb54a11

    • SHA1

      50a463e366f0a763739b21eff0cdb21111454e50

    • SHA256

      86e7c721f7fd48bd652d9a36a32e5744bd8ae0b02701f3d3086f9c7603a31369

    • SHA512

      cbb91b0f6b05a25ede137beba32ecce849b1cd54c74d0f3d38c2f63f61ca2a6ea86df0798c902e6e1e7699a63ceaec84261d923624d7f1798c00a40bec0a0e3a

    Score
    10/10
    nanocoreevasionkeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks