General

  • Target

    HSBC SWIFT 41248669000184OC694878.PDF.gz

  • Size

    565KB

  • Sample

    220927-f65zqadfhr

  • MD5

    ed52aadb93e7c26ddd7e462e9225aff4

  • SHA1

    4fe88600bcfad40bd3b8a565c91ddb16f04400a4

  • SHA256

    0a89ed3f835284abd7c63bafea149486c98a0f09f299cb1247d5a1e57919481f

  • SHA512

    550e49514c54da708b6594c04ee648cd02848df2174dab0c7e7623c08aa3ee408361c170f92b2a405c3c9eaa3d4bafa7cf5e2e5a327ad4c6dd5bd850fd066502

  • SSDEEP

    12288:qpjdmSnX6SwkD8+4WiQf15sBbLJrwtmhHNiLn5fvmVQ5:qnVnX/87Wiu15KNrw4BcLnZyQ5

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

tuk.linkpc.net:4726

Attributes
activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2022-05-10T00:51:42.391456936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4726
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8a31290f-d587-43a1-8a5b-8b2e6c04b993
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tuk.linkpc.net
primary_dns_server
tuk.linkpc.net
request_elevation
true
restart_delay
5000
run_delay
15
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

    • Target

      HSBC SWIFT 41248669000184OC694878.PDF.exe

    • Size

      634KB

    • MD5

      fa58dda61dfa6b714b6750a6a3bc7f0d

    • SHA1

      4e910890a32eeafb26c530eb7e6b9bf6f111b932

    • SHA256

      967789b06194bfbececcc59fb2c51a5eb6fad41992f49a18ef830fe2123c73c9

    • SHA512

      5470f049f3f41523fb9fc0271289e4a319b6157726bb51705a392ce5a8a712502705db8b67cf7741b1adb4ed64b56969635d2600d8542f0d0117f8b04f3b27bc

    • SSDEEP

      12288:X/aP7SnfIOYk94UaWSQNh5mPLv57CtgDHVgTZdfv8HmMM:X/aPunfJ4zWSih5kB7COLOTZdMmr

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation

                    Tasks