Overview

overview

10

Static

static

5

1ca85aac72...a5.exe

windows7-x64

10

1ca85aac72...a5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5

  • Size

    1.0MB

  • Sample

    221011-sb5fxsbadq

  • MD5

    44e15865e8faf1d7cf63be6698efa0b0

  • SHA1

    221894e4d3c882b5d04df5b3fdb3efead3bf4925

  • SHA256

    1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5

  • SHA512

    3beefa6fde825a57fabae832a41f55614254848a7d82e424fa42d683002c7a66feb488b2c8bf5d1803bef8a705bcaba18234a818b7e3e3e65dd4706bb74c0414

  • SSDEEP

    12288:Stb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaK6NSYFIDOB7lOSMO6A:Stb20pkaCqT5TBWgNQ7aKP+7lWO6A

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    0

  • build_time

    0001-01-01T00:00:00Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    0

  • connection_port

    0

  • default_group

  • enable_debug_mode

    false

  • gc_threshold

    0

  • keep_alive_timeout

    0

  • keyboard_logging

    false

  • lan_timeout

    0

  • max_packet_size

    0

  • mutex

  • mutex_timeout

    0

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

  • request_elevation

    false

  • restart_delay

    0

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    0

  • use_custom_dns_server

    false

  • version

  • wan_timeout

    0

Targets

    • Target

      1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5

    • Size

      1.0MB

    • MD5

      44e15865e8faf1d7cf63be6698efa0b0

    • SHA1

      221894e4d3c882b5d04df5b3fdb3efead3bf4925

    • SHA256

      1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5

    • SHA512

      3beefa6fde825a57fabae832a41f55614254848a7d82e424fa42d683002c7a66feb488b2c8bf5d1803bef8a705bcaba18234a818b7e3e3e65dd4706bb74c0414

    • SSDEEP

      12288:Stb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaK6NSYFIDOB7lOSMO6A:Stb20pkaCqT5TBWgNQ7aKP+7lWO6A

    Score
    10/10
    nanocorekeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks