General

  • Target

    Payment Invoice.exe

  • Size

    875KB

  • Sample

    220919-tdcpcsffc7

  • MD5

    2a7f904046d84e1e7357e1e2a25c4d6a

  • SHA1

    21295c64773194b68011c56239d2f2eaff1bad84

  • SHA256

    5dd503490af8829d84dcf61f1b829b3a26eb0f9fdf807b49d9b606cd6e2ff974

  • SHA512

    5c9e981427fc57aa40a6742fe21bf79b7f84ffaf032a9905d32c960b24566a64ad32753c2688e04221bbe4f4d7016df03e5c25340a3245cea1cb1d3b4d29ff81

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

story.servepics.com:22

85.31.46.207:22

Attributes
activate_away_mode
true
backup_connection_host
85.31.46.207
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-01T16:11:50.181051836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
22
default_group
Blessed
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cd820fe9-0080-4a6b-9ac2-42543933ee09
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
story.servepics.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

    • Target

      Payment Invoice.exe

    • Size

      875KB

    • MD5

      2a7f904046d84e1e7357e1e2a25c4d6a

    • SHA1

      21295c64773194b68011c56239d2f2eaff1bad84

    • SHA256

      5dd503490af8829d84dcf61f1b829b3a26eb0f9fdf807b49d9b606cd6e2ff974

    • SHA512

      5c9e981427fc57aa40a6742fe21bf79b7f84ffaf032a9905d32c960b24566a64ad32753c2688e04221bbe4f4d7016df03e5c25340a3245cea1cb1d3b4d29ff81

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

Command and Control

    Credential Access

      Defense Evasion

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                Privilege Escalation