nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

b95f5f68948d08e06292fbda648e99b3d7d237e19cb4da03fc729fddd681d195
Size

828KB
Sample

220829-s7z63sbecq
MD5

712bbcf2b430254fb91797a2e073ef65
SHA1

6c3cc432b8e0771bc7e2623db20da649851784f0
SHA256

27c7f7085f284f4b576805160368c5e21d540545c55ec122e08a84f88f102a61
SHA512

a3117f1a4d3a14a70dbe78537cfa6f1d989e3b983014a9050a924586c3f3c127edbcde8a0861f7e014400a8e661c4031d23a767a1e37b4b46005204b894ec9b6
SSDEEP

24576:jmV8tApzVXMlwN+Gzo5r3evnJ+/liSnG88ky36mh:jmit0x5oGzJvnaioG1kyKmh

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

kasawulli845.ddns.net:5211

127.0.0.1:5211

Mutex

d4cfd040-7e1e-457d-bd2d-3dc785b0760c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-29T06:31:10.522487936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5211
default_group
AUGFILE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d4cfd040-7e1e-457d-bd2d-3dc785b0760c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kasawulli845.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  b95f5f68948d08e06292fbda648e99b3d7d237e19cb4da03fc729fddd681d195
- Size
  
  1007KB
- MD5
  
  33033d3ad58d7ea7014df1ed01f3a87d
- SHA1
  
  b5d523117a452b857706ce9829aaddbb3b041863
- SHA256
  
  b95f5f68948d08e06292fbda648e99b3d7d237e19cb4da03fc729fddd681d195
- SHA512
  
  54ceda6e975ebddf704bc93600cb10e3f05358857908b8fa1eb742efddd2a206683782c87462c80f14210c0c4402de6321a117b2356bfdfd662f3aef1567e450
- SSDEEP
  
  24576:4sI90AUjkXY+mzo3FLevRJSHl+4NG8okyNR:xSlmzJvRs+qG3kyn
Score

10^/10

nanocore collection evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

NirSoft MailPassView

Nirsoft

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2