General

  • Target

    AE432A5628BF4BFBB1AB7318541754CE516BD4E556A47.exe

  • Size

    574KB

  • Sample

    220919-k5la5shha7

  • MD5

    a5ed1a48da6d59988f13e7060a676b3f

  • SHA1

    a179448c0ee72865dc3bdf4e8b5e7a426c8e30b6

  • SHA256

    ae432a5628bf4bfbb1ab7318541754ce516bd4e556a479af75775ac981b5a392

  • SHA512

    2cfb183758eb5d07e7c8132b08ce1cce1fb7b05c70ac0c60c6d8385fffa10a3e5c8c92f70ae075747f89ef995e8b7030d0a2818ee1d1382f13c0e518283c8745

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dbest2021.ddns.net:2021

Attributes
activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-03-04T10:49:09.510976936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2021
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
98469f35-3240-487d-84db-333cbc41b140
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dbest2021.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

    • Target

      AE432A5628BF4BFBB1AB7318541754CE516BD4E556A47.exe

    • Size

      574KB

    • MD5

      a5ed1a48da6d59988f13e7060a676b3f

    • SHA1

      a179448c0ee72865dc3bdf4e8b5e7a426c8e30b6

    • SHA256

      ae432a5628bf4bfbb1ab7318541754ce516bd4e556a479af75775ac981b5a392

    • SHA512

      2cfb183758eb5d07e7c8132b08ce1cce1fb7b05c70ac0c60c6d8385fffa10a3e5c8c92f70ae075747f89ef995e8b7030d0a2818ee1d1382f13c0e518283c8745

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation