c9ae12a64c678ed7284b3514af87b0ac6ce8036306855efcfebdf167aa42c0f1

General
Target

c9ae12a64c678ed7284b3514af87b0ac6ce8036306855efcfebdf167aa42c0f1

Size

772KB

Sample

220521-xbsjksbdd7

Score
10 /10
MD5

37e4517bccb2c13b5853022d7c5fcc6e

SHA1

5dd6dbb402b5a336f3a21edfdf6a7da741a652be

SHA256

c9ae12a64c678ed7284b3514af87b0ac6ce8036306855efcfebdf167aa42c0f1

SHA512

c7d20f2c658c295b9a7ad7bf4c533c41b9a4b6b483b3883fc64ee6d7985fcd64e51a93f0a99ea31774b5ac69cc9c4582b0468f06e9e9107bb2d65e2e91170d39

Malware Config

Extracted

Family nanocore
Version 1.2.2.0
C2

antonlmcmotor.ddns.net:3190

Attributes
activate_away_mode
true
backup_connection_host
antonlmcmotor.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-07T09:50:37.081293536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
NEWZEALAND
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
de74fb71-ce66-421f-80e3-36e9e39a1451
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
antonlmcmotor.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Targets
Target

PROOF OF PAYMENT.exe

MD5

01d17f375699dbaedad392aa7920645f

Filesize

1MB

Score
10/10
SHA1

2fbefee529b1aa5079100c5bb07ba37d4988d371

SHA256

4c94eb227b1c9236958b5f31dc3829ce7891e22d3771e25e9e291b08fafdd090

SHA512

6df6601163511770d6b85485c20e0ecb2c71b321aa94dda79e5e067aa0ffe09333acb63c9434f8c36ea79463e06b696be3ff316b92b91b46b90b6545f4b2075d

Tags

Signatures

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • Drops startup file

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation