40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792

Target

Size

871KB

Sample

220521-xcjm3abdf9

Score

10 ^/10

MD5

5bbaebfc9e1f12fb2b1c173681436e43

SHA1

36f2830e64e19d726f8ff7f92c2710efc7bd4e3b

SHA256

40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792

SHA512

4e29213a950a61e1fd5ca9cab1f7a8b7905010a2eb57a130b4aeda2a9d0ecc9904fe3da3215728a776b83013df92bd8ca78d40afbbd1ba1aa412863736ca7a49

Extracted

Family	nanocore
Version	1.2.2.0
C2	185.140.53.12:1985 127.0.0.1:1985 185.140.53.12:1985 127.0.0.1:1985
Attributes	activate_away_mode true backup_connection_host 127.0.0.1 backup_dns_server 8.8.4.4 buffer_size 65535 build_time 2020-01-17T10:03:49.054089636Z bypass_user_account_control true bypass_user_account_control_data clear_access_control false clear_zone_identifier false connect_delay 4000 connection_port 1985 default_group kdott enable_debug_mode true gc_threshold 1.048576e+07 keep_alive_timeout 30000 keyboard_logging false lan_timeout 2500 max_packet_size 1.048576e+07 mutex 1b68869e-dd8c-4eea-829f-d7272a505d3a mutex_timeout 5000 prevent_system_sleep true primary_connection_host 185.140.53.12 primary_dns_server 8.8.8.8 request_elevation true restart_delay 5000 run_delay 0 run_on_startup false set_critical_process true timeout_interval 5000 use_custom_dns_server false version 1.2.2.0 wan_timeout 8000

Target

00008442786.exe

MD5

b979af7040bd69e7f91b3b4de4e4c3ff

Filesize

1MB

Score

10^/10

SHA1

eeb5e20cf6258c68c9be89dc81683f5bf57a3380

SHA256

5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244

SHA512

fdb5a12cbb102f355619761942a28e7b31e9a26ded8fc1cacdd3437d6ccc182e11eb795bdfd472746a968a1ee9be824c5cc44541eb2f51ba1fa68a6ee745e31b

Signatures

NanoCore
Description

NanoCore is a remote access tool (RAT) with a variety of capabilities.
Tags

keylogger trojan stealer spyware nanocore
Drops startup file
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

5^/10

behavioral1

nanocore keylogger persistence spyware stealer trojan

10^/10

behavioral2

nanocore keylogger persistence spyware stealer trojan

10^/10

Extracted

Tags

Signatures

NanoCore

Description

Tags

Drops startup file

Adds Run key to start application

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2