Overview

overview

10

Static

static

10

TUView.exe

windows7-x64

8

TUView.exe

windows10-2004-x64

8

TView.exe

windows7-x64

10

TView.exe

windows10-2004-x64

10

Windows.exe

windows7-x64

8

Windows.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Stubs.zip

  • Size

    239KB

  • Sample

    220824-k3zezsccf8

  • MD5

    0fd61bf6d3acd274369943a43fb6f2ab

  • SHA1

    8076939385a425fdbcafd4aaf97410617ac3f96c

  • SHA256

    76f8fec1a95db07a76d543fbdb4c9a0094b3e60a47f285372830c8924bc103d7

  • SHA512

    0d899045b2df7cd2915a0fb28a0792bb2ce97565496a0b1492c7f2d0bc2f251ad7c136145a3d30fa5e316cba04053ab49f83b34a2d2131406dfdf947bb3da5fc

  • SSDEEP

    6144:Ab3L5MsSI/44sPiL7yFH1dNRnmEzrzHvMsfugMz9V9NM8g:iN//AnP4yHHnmEXrMmLMz9V9NM8g

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

connect1212.ddns.net:54984

Mutex

88cb7334-a7ec-4d51-a0d9-0f7f768ea541

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-04-22T14:20:28.391884536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    88cb7334-a7ec-4d51-a0d9-0f7f768ea541

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    connect1212.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

connect1212.ddns.net:5552

Mutex

32dc075b47a82be9c432045c10a29dec

Attributes
  • reg_key

    32dc075b47a82be9c432045c10a29dec

  • splitter

    |'|'|

Targets

    • Target

      TUView.exe

    • Size

      150KB

    • MD5

      2c5aef89291a616850b5d6a9d532b8c0

    • SHA1

      48fc949f0e6070407d422107f93af93aa632b356

    • SHA256

      4d3ddbbc0ae3395c1d5d4b30cc511129ac4944b0338b077176d9d11dd5485063

    • SHA512

      0653bb4af05678957afc298057888a5c48641e9bff6bd3ed356abefe6b2db3ed280deb2704c3d6cb49a9c56e20b79ddfedf682bc32083ba9580a8dfbbe887db2

    • SSDEEP

      3072:KV5vmK0PS3TFgUM/ZT0MWcYvWrPVY5c2Ij2LNdakqHH3zq0+Pi585L+0uB+m7P:+GHHi650+5

    Score
    8/10
    persistence

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      TView.exe

    • Size

      209KB

    • MD5

      c9f31f31e2db35acd96a1ba8383b127a

    • SHA1

      80d1545549cea3af6e968eae26c6de9d73c8b57d

    • SHA256

      ab640b81983002bf968ca227b0267a88b89e627ccb3127d46036b25907bd2edb

    • SHA512

      e32da900fc124cb9ccbdf0ec1df6cbcdd5f9c27c743056754ebfe54d4f3c408114b84d54aa9cf6383bffd88de9f1331f985fb20cb7a723cb003c30a05ff561e2

    • SSDEEP

      3072:kzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIzcFIzby5IzrLjrFV6so5KegrH:kLV6Bta6dtJmakIM5gzbzHv6s5egfgNa

    Score
    10/10
    nanocoreevasionkeyloggerpersistencespywarestealertrojan
    behavioral3behavioral4

    • Target

      Windows.exe

    • Size

      37KB

    • MD5

      e32b6317db18f908fed313c010ea9b76

    • SHA1

      1b1ea1780aa6618c52f19ae3bc805078bd0accda

    • SHA256

      2834cad6fb2e22f7f73cbd74efe6cb35760eaf119caa4feab9b5a8c40fdccf0b

    • SHA512

      6798cd445c4578657f120bbdc7df44d26708b4c989cb0649b57632b71b8d5ae7dfbf3eca41c7ea78dd92ce33a7c34de5456084bd3249f15afd6e93caa204f40e

    • SSDEEP

      384:x4lZkitgZf5W9cTYXyc/SKlMA+zfz1nssIBNrAF+rMRTyN/0L+EcoinblneHQM3b:alyjjTYic/SKqZssIHrM+rMRa8NuOXt

    Score
    8/10
    evasionpersistence

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Tasks