Overview

overview

10

Static

static

58e3b0ca2b...dc.exe

windows7-x64

10

58e3b0ca2b...dc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58e3b0ca2bfb71c1aa79085f966ef0f7bd9723b34da4e4482d078122d0d570dc

  • Size

    1.1MB

  • Sample

    220724-gx7mmaabcq

  • MD5

    81d6e902713d19e6a020de496a32f8f9

  • SHA1

    9cbeaa4ee273efe6765b75e47ba1acc9595655f3

  • SHA256

    58e3b0ca2bfb71c1aa79085f966ef0f7bd9723b34da4e4482d078122d0d570dc

  • SHA512

    0323c91426ec73bd20691d39d3d057e2bc2296647c271e2ae93183e0e3077aa74ac02e880e9796af7eb6d9d1de3e11798b54167a8807bb44540df1ce88b59298

Score
10/10
nanocoreevasionkeyloggerspywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

201.174.233.241:53776

batterthings.duckdns.org:53776
Mutex

09446539-7c38-4c4e-99e5-33f780fd9143

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    batterthings.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2017-08-14T09:58:41.077473736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    53776

  • default_group

    DDF

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    09446539-7c38-4c4e-99e5-33f780fd9143

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    201.174.233.241

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      58e3b0ca2bfb71c1aa79085f966ef0f7bd9723b34da4e4482d078122d0d570dc

    • Size

      1.1MB

    • MD5

      81d6e902713d19e6a020de496a32f8f9

    • SHA1

      9cbeaa4ee273efe6765b75e47ba1acc9595655f3

    • SHA256

      58e3b0ca2bfb71c1aa79085f966ef0f7bd9723b34da4e4482d078122d0d570dc

    • SHA512

      0323c91426ec73bd20691d39d3d057e2bc2296647c271e2ae93183e0e3077aa74ac02e880e9796af7eb6d9d1de3e11798b54167a8807bb44540df1ce88b59298

    Score
    10/10
    nanocoreevasionkeyloggerspywarestealersuricatatrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • suricata: ET MALWARE Possible NanoCore C2 60B

      suricata: ET MALWARE Possible NanoCore C2 60B

      suricata

    • Drops startup file

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks