nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

FOI.tar.gz
Size

974KB
Sample

220914-bn5h1shaa7
MD5

029a04db023634c4d11b154838f7e305
SHA1

3fa27e7df0b73d29b6a9a1bdb22b35f372ff2613
SHA256

ca346708475c9cb5a70d7f8e7dde8af2c55ddc174e345c059f2b04d160729f8f
SHA512

03a1694736b010830dec5e41fffe321b5166f7ccda9413b5f05bcca61b2a3dcc202a7c37ea42ae556894029d954dca53c921550c116c14042a718844bc9709af
SSDEEP

24576:yk6O581sXCzHKf+n7ZrDF2JSsFTBejiqrvA34Pnj:uOvXCzHKf+7FDF5sFhsvOcj

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

fji673mfa09zhvs.freemyip.com:3827

noan12.noanvaruncorekumar.cf:5525

varunbenchod221234.freemyip.com:7782

37.120.141.153:7782

waf901309oi.freemyip.com:4381

37.120.141.152:4381

nserv.anondns.net:54987

ouff.anondns.net:54987

nc.anondns.net:50951

asy.anondns.net:50951

Mutex

cf839a08-a0b5-4da0-a9fa-57a034794011

Attributes

activate_away_mode
false
backup_connection_host
fji673mfa09zhvs.freemyip.com
backup_dns_server
buffer_size
65535
build_time
2022-02-26T18:03:16.268154636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
3827
default_group
----------------------
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cf839a08-a0b5-4da0-a9fa-57a034794011
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fji673mfa09zhvs.freemyip.com
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  FOI/Win10Update.exe
- Size
  
  203KB
- MD5
  
  2c0e6eec7a917aa21127d4ae6564e7f4
- SHA1
  
  fd8dddce32bd1ed6ae9f7273e40660eee3d8f7b3
- SHA256
  
  1daacc43fda4e27bde15a2316edaf6073c7cdbd0d0c23e2ad315345329d062d0
- SHA512
  
  de87a4d1fdb3697805545569cfde58a4188dd6cb2fbef67633bb59a6e001df136ba9f2e675eb6e5fc7651d2bdd1aa6a2f5bfad2a39ae89225768043c352bc41e
- SSDEEP
  
  3072:OzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIoR6l9e5YBFUS68fnSpbcsN3KW:OLV6Bta6dtJmakIM5Gi2H5fni/MuQfq
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2
- Target
  
  FOI/WindowsDefender.exe
- Size
  
  202KB
- MD5
  
  23529193e7df08237d9918ef7ffa06ce
- SHA1
  
  8d674367585bc549d87bad1842d13e806ace5c46
- SHA256
  
  d3206e019dbd990c4debeee6e791ef240c3988910b9b628050dfd773ce8f0739
- SHA512
  
  75b36d8f798211b4bef5d5fcd98a799921049e9bbe2f1dfa6be5c30608f71ec93be2de1c66b37e627bff6f22fe8187ae6a20a486daf13b2231117b160043685c
- SSDEEP
  
  3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIa0N2B5VEF7D0tyI+AQ10bJG0:wLV6Bta6dtJmakIM5I0BMB6V+AQ1+JX
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4
- Target
  
  FOI/diagsvc.exe
- Size
  
  203KB
- MD5
  
  db33a945f9bf4d3b2956daf62408ce8d
- SHA1
  
  bedf9e62f76578a7f51afcaf0ce9d822f62d6735
- SHA256
  
  9dece137d410f58d20c11d720c6a761020ee57016a5e4cb9dfae106f22d51c85
- SHA512
  
  88ff29c3de597c272549d827eb94d0c06b8f5ce87408cc4a10bdda7e76b2492b0fbb623d4f3dd5834f20694343d01e8857c496cdb7e894cae8b166693c3e015d
- SSDEEP
  
  3072:MzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIrJdWu5Z6ZhkSyZL1wja73As3K:MLV6Bta6dtJmakIM5a5eGvwjDs/fCsU5
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral5 behavioral6
- Target
  
  FOI/duggan123.exe
- Size
  
  203KB
- MD5
  
  ab7edb633a1922984791a268984beb97
- SHA1
  
  add0328e7f0db7158b5050f4c38724e699f5f638
- SHA256
  
  eb1ce1b8311231a2e92d9f1caee3cc9672ce8f434a8c004e43548ecbd8825bc5
- SHA512
  
  4839a5cb53481b9b589e543584919858cd1aca3a339f35fbdba479c26e525d180e4b62fe5c7248b8f90eb1cc5deb66be84e0890191eefe8138ac0eb21872011e
- SSDEEP
  
  3072:uzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIyTUHnWi8DnkE/pnQD/2uDEm+0:uLV6Bta6dtJmakIM5boSDnkEuCuI1Xu
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral7 behavioral8
- Target
  
  FOI/imapsv.exe
- Size
  
  203KB
- MD5
  
  5d55fcab603a4d98fe8b0bdff27fc7e4
- SHA1
  
  6ccf3458ae414dd136ccc22e8cfd9497b73e624c
- SHA256
  
  80cbb1f3837b4736acdb6df2aebc415d847f649937613802511a8307556d0f58
- SHA512
  
  30e11dc93cc7167158592e1af09811ba6d8c72beadcd3252d2f2b748f51bcfd653b67e5444d12deb3f811f4c404fe6ed95e39122a079444766782b70daa10e3e
- SSDEEP
  
  6144:SLV6Bta6dtJmakIM5+SxxV2Pvj3Y+w5A:SLV6Btpmkg2PvT
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral9 behavioral10
- Target
  
  FOI/sdiagnhost.exe
- Size
  
  210KB
- MD5
  
  9f9f4aac7e44028bace0030dafc0f847
- SHA1
  
  894fc0c296d277020050ca31e6e928410d18337a
- SHA256
  
  7de2be3dd820e996acb9dc3a2cb71b149a385efa74602f82c0f0d64c89de550c
- SHA512
  
  4ca5ee9939eb005145022d680d0a7948a4d9246393ff9ddd906db9c79d36e51df76b22a6eeb91df121ccb012ec864a26d8f3e3b287e0985421e4b42ef8b20729
- SSDEEP
  
  6144:MLV6Bta6dtJmakIM5QBGVW+qZgB6TX7PihC2h:MLV6Btpmkfkf+z74Lh
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral11 behavioral12
- Target
  
  FOI/stordiag.exe
- Size
  
  32KB
- MD5
  
  d3815ad86347cbb32de4416acb943eff
- SHA1
  
  4018a5deb3d61c8c4827b76425db5cffad2c9e80
- SHA256
  
  e7326f64bdf74f18d75644f325b3d076db50eafdbfdb74c0fe97e7341ee23287
- SHA512
  
  fe055198123b1fd86218cd5887290410962a92845060d85394ebdb84fb181f8e90ac17629ad39b14bd83ad5bb30cbe59d1066c6c8de9eb9d07d0d2ef5cdbf7ce
- SSDEEP
  
  768:vf7w9Dhxw9dParwnBwatRkw3ccrfLvWr:sCjysiajkw3cafDWr
Score

8^/10

evasion persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Modify Existing Service

T1031

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Executes dropped EXE

Modifies Windows Firewall

Checks computer location settings

Drops startup file

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14