nanocore | f866833ab442929e34536a128184bceafe1715499777a61244323551742bf4ee | Triage

Sharing

General

Target

f866833ab442929e34536a128184bceafe1715499777a61244323551742bf4ee
Size

2.2MB
Sample

220521-xb94maefhm
MD5

4c0b0a3028dcb0cb3015b4691c64c0b2
SHA1

f8726da87ee112ed109245c39c8401678127e039
SHA256

f866833ab442929e34536a128184bceafe1715499777a61244323551742bf4ee
SHA512

0b00559673d934c6015ed6b698aeec9e66df155de25b6b6ee3e8dd4729ebedcd65b55b7beb7a2d0d667adacffa610692c9616ded900b14b06a468a0f2602a1c3

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

u852117.nvpn.so:5638

comcasted.duckdns.org:5638

Mutex

c2752564-42a0-44a1-9f65-f38d35e9ab26

Attributes

activate_away_mode
true
backup_connection_host
comcasted.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-12-31T14:52:32.548938136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5638
default_group
comcasted
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c2752564-42a0-44a1-9f65-f38d35e9ab26
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
u852117.nvpn.so
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  ENQUIRY_.EXE
- Size
  
  1.7MB
- MD5
  
  a2301e5f6bb76e888d242c4a6a49af47
- SHA1
  
  680dd9446633c37b09e2bc0542d86628ececc397
- SHA256
  
  51b15f2f55025fe7eff1ee4a4f5a2bedc616f3e0fc678a01a108d52c41e693ec
- SHA512
  
  4fe8ddb24f2ddc44250f8efeb72c556559c5568808cc310bc6154da705405044071416ed2d5ee263b4a209ab1f864bd3f2d14493553d370c8666d652328e5fe6
Score

10^/10

nanocore keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Drops startup file
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

nanocorekeyloggerspywarestealertrojan

behavioral2

nanocorekeyloggerspywarestealertrojan