nanocore | 8abb16cc2bd1fd7d238c641d0a738a4c06443f1fc681220b82d5d0b3349d16fe | Triage

Sharing

General

Target

t2h4k6l2m8_PAYMENT.exe.7z
Size

397KB
Sample

220915-xt5xmahfal
MD5

635c81d69365466d0f4c4b0156d0dd7e
SHA1

eae86033e08d27e6255c856a4def7bb7397285c2
SHA256

8abb16cc2bd1fd7d238c641d0a738a4c06443f1fc681220b82d5d0b3349d16fe
SHA512

73e52ede2c09b047138f1383b4e42d3d53201a50432c493b8f772d1f0c971757d3a58f2664c8dada6e6be8f4d075bd78b05e484c66693cc6b890ea0bf328bfab
SSDEEP

12288:jmkZ18o8M5F2gK6s3Z5bsc/UA/uan2ukJHYTFp0q38:jmkZ1BD5ED71F/vuan2uyYTEa8

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

omaprilcode.duckdns.org:8090

Mutex

f8dffc54-5ec5-4013-9de8-d8d853682f44

Attributes

activate_away_mode
true
backup_connection_host
omaprilcode.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-26T15:04:24.913843336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8090
default_group
CODEDBASE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f8dffc54-5ec5-4013-9de8-d8d853682f44
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
omaprilcode.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  t2h4k6l2m8_PAYMENT.exe
- Size
  
  3.7MB
- MD5
  
  798bb67d84ef291e5462e63a3e7ac280
- SHA1
  
  21c217f0142b6b04ef954c910f1018a65b1f1f42
- SHA256
  
  476ec2e1e154427dd5c174d02d8d3303933a6387b4f7217641468ae057a06257
- SHA512
  
  ad1997eae69f4264e6be9072523d6aae488ec8b266d573646388eee32a4f55deffdee518afbcaa48e2443125cb34aac7d08b44d9190da07a841da1752dcf7e53
- SSDEEP
  
  6144:84JzIARifSD+KsmBX6lJxxfiWCF352uOGJcxEbT7Bkj/aUqQEtFIDa2dQpwD4clD:8r
Score

10^/10

evasion persistence trojan nanocore keylogger spyware stealer
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Windows security bypass
  evasion trojan
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

evasionpersistencetrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan