nanocore | 3dfa7f8e2a46e736943e051736f4afc891da5e2fd5cbdccdb0179bd615741573 | Triage

Sharing

General

Target

3dfa7f8e2a46e736943e051736f4afc891da5e2fd5cbdccdb0179bd615741573
Size

544KB
Sample

220701-q4t5jsgde8
MD5

10979112e34d90924ce49c49c8f86271
SHA1

7a9c2babcd5dfbd780db85f06fb513c5366cae9c
SHA256

3dfa7f8e2a46e736943e051736f4afc891da5e2fd5cbdccdb0179bd615741573
SHA512

c7ba4d296cb4bfa6d989c230b8a34b54f28430fb9a04536c4a9a0ead567a62a372c096a17aac75e66dcb4091d036fa7406a80cb64d5d0403fa287c10abbeaf60

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

181.214.55.24:1960

127.0.0.1:1960

Mutex

52e9831e-1a97-4d0d-b4bb-ffe21f0b33f1

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-08-17T12:43:43.708095436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1960
default_group
NOVEMBER 5TH
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
52e9831e-1a97-4d0d-b4bb-ffe21f0b33f1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
181.214.55.24
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  3dfa7f8e2a46e736943e051736f4afc891da5e2fd5cbdccdb0179bd615741573
- Size
  
  544KB
- MD5
  
  10979112e34d90924ce49c49c8f86271
- SHA1
  
  7a9c2babcd5dfbd780db85f06fb513c5366cae9c
- SHA256
  
  3dfa7f8e2a46e736943e051736f4afc891da5e2fd5cbdccdb0179bd615741573
- SHA512
  
  c7ba4d296cb4bfa6d989c230b8a34b54f28430fb9a04536c4a9a0ead567a62a372c096a17aac75e66dcb4091d036fa7406a80cb64d5d0403fa287c10abbeaf60
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan