nanocore | 56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f | Triage

Sharing

General

Target

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
Size

4.3MB
Sample

220725-fn5w1afhbq
MD5

5b2f4e07e883c0b165daaba2127a589f
SHA1

c9edf782418140d7720f58d996dbcaeec965ee50
SHA256

56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
SHA512

80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010

Score

10^/10

nanocore quasar public evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

109.230.215.181:1604

127.0.0.1:1604

Mutex

7fa6e9c8-20ea-4047-9f02-2251015e4ea4

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-03-10T10:37:21.189476636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
crypt authorized
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7fa6e9c8-20ea-4047-9f02-2251015e4ea4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
109.230.215.181
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

quasar

Version

1.4.0.0

Botnet

public

C2

109.230.215.181:4782

Mutex

wrZ9bZkif6pZsmpibj

Attributes

encryption_key
OAlqwcOC5GAUaDQi56x4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
RDPBlox Agent
subdirectory
SubDir

Targets

- Target
  
  56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
- Size
  
  4.3MB
- MD5
  
  5b2f4e07e883c0b165daaba2127a589f
- SHA1
  
  c9edf782418140d7720f58d996dbcaeec965ee50
- SHA256
  
  56333ebe0e71a128151a373386f152598dfac647a0f9c7c6cf6d48c8e2d6081f
- SHA512
  
  80be5d187ad54b8396fab7045bc7f15f1eb1434bfa2e30707b4f4b5e59548039f2ee2cc8f6b4f7edde01bfd680306fcd875bf653be8b88c6d67bd6fb26e84010
Score

10^/10

nanocore quasar public evasion keylogger persistence spyware stealer suricata trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata: ET MALWARE Common RAT Connectivity Check Observed
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocorequasarpublicevasionkeyloggerpersistencespywarestealersuricatatrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealersuricatatrojan