0568c34ba51f11cf4a7da4458ec8728c7774c3d8e4e78461ad64fec01aa175fd

General
Target

0568c34ba51f11cf4a7da4458ec8728c7774c3d8e4e78461ad64fec01aa175fd

Size

840KB

Sample

220521-xbemqabdc3

Score
10 /10
MD5

9fe13364ed3ed6af92c35796570e8894

SHA1

64ecd34fd766e37e301c01e6da922c4e624b9835

SHA256

0568c34ba51f11cf4a7da4458ec8728c7774c3d8e4e78461ad64fec01aa175fd

SHA512

2bcdcd4427dd36c2724643b10a8374de17ad7217729552122f1783970f1800fd824dacd495dc3eeff0b887d571de77501084775e949d85a37b0b0231d944b89f

Malware Config

Extracted

Family nanocore
Version 1.2.2.0
C2

forwork61420.ddns.net:3118

forwork61420.duckdns.org:3118

Attributes
activate_away_mode
true
backup_connection_host
forwork61420.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-28T15:15:12.586904536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
3118
default_group
TT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
713ef177-b6be-471f-adec-854b1cda1062
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
forwork61420.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Targets
Target

Purchase Order061720PDF.exe

MD5

087c73bf612b9d9694409a763b3c270a

Filesize

1MB

Score
10/10
SHA1

d033c49a30a38a59764d2a1a2eab537574b53e98

SHA256

17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2

SHA512

0f767f635e0edf66333835ced8e0f377aa9158137ff891af3d7ebaa3e18193c61bd88f22896dc7269aa03d97eb1852c9dbb882fe03d637a7b8e2107150db11c3

Tags

Signatures

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • Drops startup file

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Tasks

                          static1

                          5/10