40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792

General
Target

40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792

Size

871KB

Sample

220521-xcjm3abdf9

Score
10 /10
MD5

5bbaebfc9e1f12fb2b1c173681436e43

SHA1

36f2830e64e19d726f8ff7f92c2710efc7bd4e3b

SHA256

40b95258cd14597c0850f6e1c78a3af4812bd89fa9b3706561b43e20457ac792

SHA512

4e29213a950a61e1fd5ca9cab1f7a8b7905010a2eb57a130b4aeda2a9d0ecc9904fe3da3215728a776b83013df92bd8ca78d40afbbd1ba1aa412863736ca7a49

Malware Config

Extracted

Family nanocore
Version 1.2.2.0
C2

185.140.53.12:1985

127.0.0.1:1985

Attributes
activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-01-17T10:03:49.054089636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
kdott
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1b68869e-dd8c-4eea-829f-d7272a505d3a
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.140.53.12
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Targets
Target

00008442786.exe

MD5

b979af7040bd69e7f91b3b4de4e4c3ff

Filesize

1MB

Score
10/10
SHA1

eeb5e20cf6258c68c9be89dc81683f5bf57a3380

SHA256

5e09510e834b75413af64e013eda43df867fab6080facf4227a08ca64861a244

SHA512

fdb5a12cbb102f355619761942a28e7b31e9a26ded8fc1cacdd3437d6ccc182e11eb795bdfd472746a968a1ee9be824c5cc44541eb2f51ba1fa68a6ee745e31b

Tags

Signatures

  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    Tags

  • Drops startup file

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation