nanocore | 70a93613417666b6510d74c43274e63eaf29fa1e382abf8f21f4b011fbb07440 | Triage

Sharing

General

Target

4a1115d9a10e4c820fba3baa552e97bb50785a5f7d3fd1a0e72baa189855aa91.zip
Size

92KB
Sample

221010-tpbanscec4
MD5

af8b55fc3b2cdafaf121674c148388e2
SHA1

6b6da8ec50090b2e0ceb2f4a45cac078ca793c19
SHA256

70a93613417666b6510d74c43274e63eaf29fa1e382abf8f21f4b011fbb07440
SHA512

d261e3745e3aa742c234912d0cd6a49eeea01f6e02679d058f3b7fb695fddf35bb86a052d9e69da36bc8bf9ac4ded81e12646a1dfa3a61670b350237c7868a3a
SSDEEP

1536:+Af2BGqBYfm6QXQMyNkW5GTFItCrfSviPVIMSxRy5ReygF2nShgUAx+TubxPimbL:WtYfm6QXQMKk7TAAPVk2KonSaSTwxDL

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ratagain.gleeze.com:5050

ratagainbk.gleeze.com:5050

Mutex

facea582-6bb8-4111-bf8c-c4bbbdd42ea8

Attributes

activate_away_mode
true
backup_connection_host
ratagainbk.gleeze.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-01-24T09:08:07.151828536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5050
default_group
April
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ratagain.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Shipment receipt.exe
- Size
  
  231KB
- MD5
  
  8af8789eac67de3b398fd91caad301c7
- SHA1
  
  46a834f5f2a07eefec376232b8785187c46bab5d
- SHA256
  
  0439c7d1f0b9dd75617a6cd78c086139feccd6a2eb91d43e3d09e6194f14bebd
- SHA512
  
  831f6d22a66a272cbe603d638a9e02685b587ce97ef7730f930c72a70f68a285afa005d090d950797bcb0c4fbb45d6a6f5401d29f7fd2037670086f656ffe7da
- SSDEEP
  
  3072:NW3q9x4CuQqhAp05FIGRnNadfS5AmqKnoeN:NmqvyhAp05FnNKmqKoe
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan