nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

1caa0c0cf4ebf43877c706c82a15ef218e09063e1e5d6a806b625f8a0e5e3b0d
Size

691KB
Sample

220521-nccebagefn
MD5

4793a9229d11749bc8ea30f375ee2809
SHA1

4f54d8909984088890f655e6fdf09db345b539fe
SHA256

1caa0c0cf4ebf43877c706c82a15ef218e09063e1e5d6a806b625f8a0e5e3b0d
SHA512

42087b276cf6d41a0bc2065a902c67927497b69ac5568d1bbbfbfc8b28cf1d24e0056ab203667aad95b0556aa38199c675bb0e2302648e1f594057bc59a3fc40

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

sandshoe.myfirewall.org:5654

79.134.225.85:5654

Mutex

b234c25f-62f0-47ae-8f27-8aa17107a06f

Attributes

activate_away_mode
true
backup_connection_host
79.134.225.85
backup_dns_server
sandshoe.myfirewall.org
buffer_size
65535
build_time
2020-05-29T06:46:02.017119936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5654
default_group
SAND
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b234c25f-62f0-47ae-8f27-8aa17107a06f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sandshoe.myfirewall.org
primary_dns_server
79.134.225.85
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  RFQ_PO_5638828111.pdf Img in.exe
- Size
  
  450KB
- MD5
  
  e7258dccdfef178b604b129967ae3091
- SHA1
  
  7ea24dd9756999e4c7ee0620fb2f9750bee23077
- SHA256
  
  6d6f5f18b3a61dc596b10fbca17969aa9e8b2d771af6b9084977e0dfa70ff6e6
- SHA512
  
  2424ed2d515498068c87ccf788741c126d33b46d0cb787fff8183179d73e095e051235ca9e7f6bf5791c5c76d2039154f405a08961f336bfe7b688e2fb66c801
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Specification 788919754.pdf img ind.exe
- Size
  
  411KB
- MD5
  
  b93e8fe38d0df20ba517b9d531660a4e
- SHA1
  
  ebc70668346f27b9c31759b335c3f6cb619c71b5
- SHA256
  
  293bf5eeec6d5d30ee3b3d26f73d6cb81f4e080a449774fc8d2c3a724454f521
- SHA512
  
  fa07022ab0d2d48066017e8283a9adab2fa2f8aebac2113ec451bd5b339639d0771fd975a92072bdabb24c24f4f40c25707aa9ec3d906104db9c59ba6ddf675d
Score

10^/10

xpertrat collection evasion persistence rat trojan
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- XpertRAT
  XpertRAT is a remote access trojan with various capabilities.
  rat xpertrat
- Adds policy Run key to start application
  persistence
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Program crash
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Scheduled Task

T1053

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Unexpected DNS network traffic destination

Checks whether UAC is enabled

Suspicious use of SetThreadContext

UAC bypass

Windows security bypass

XpertRAT

Adds policy Run key to start application

Windows security modification

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks whether UAC is enabled

Program crash

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4