nanocore | fc5e3bcf40112d3c02ea2ff40593239058317103e208bf18bf869447387c2b4e | Triage

Sharing

General

Target

fc5e3bcf40112d3c02ea2ff40593239058317103e208bf18bf869447387c2b4e
Size

407KB
Sample

220521-n8ejjsaaan
MD5

5fcd20c44d19aa9ba305616313968e09
SHA1

5c5fcde8967315875d173b04aa10fdaabf660b44
SHA256

fc5e3bcf40112d3c02ea2ff40593239058317103e208bf18bf869447387c2b4e
SHA512

80a28ef1b6177523341c3a5e577c271268cb3c8b5c15fa19da1874c23db5aa2be0adad1116fe52df4a59c2bbcd17730666784e94e642f162353815962af3e483

Score

10^/10

nanocore evasion keylogger spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sack517.ddns.net:5656

sack517.duckdns.org:5656

Mutex

c7a8fda1-e948-4efe-8823-4e1fe1d7a7c1

Attributes

activate_away_mode
true
backup_connection_host
sack517.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-02T00:28:26.601869136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
5656
default_group
SACK
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c7a8fda1-e948-4efe-8823-4e1fe1d7a7c1
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
sack517.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  AHF PO 00035440PDF.exe
- Size
  
  498KB
- MD5
  
  1ea3b1a102cee26912254a6a1e2dc627
- SHA1
  
  635ea4fe2d801ffcbdb2284f74fdd78c9c4ed795
- SHA256
  
  4329ace3154dca4e544733d0f2f10abc543755dde977d9bb6998fb7368186bb8
- SHA512
  
  e63c4b691e9618f6f86097f71b75083d8cc507a20c5e8a1b4fbd513fd01d0c2a909ba4585f56bcbb566bafd06293b2afdfcb0974f254152b295a9b1ad46dab61
Score

10^/10

nanocore evasion keylogger spyware stealer suricata trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- suricata: ET MALWARE Possible NanoCore C2 60B
  suricata: ET MALWARE Possible NanoCore C2 60B
  suricata
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealersuricatatrojan

behavioral2

nanocoreevasionkeyloggerspywarestealersuricatatrojan