nanocore | 6ed1dec3ae5496b6235fec6b539841c487f07c30e8f43bf0b16e1b72d4881957 | Triage

Sharing

General

Target

8124306752.zip
Size

344KB
Sample

221012-s9qqesaahl
MD5

55209c6bcd78bddfb927c2cb5f26c0d7
SHA1

1d281081afd3e5c026790aabcaeee0b6be1090de
SHA256

6ed1dec3ae5496b6235fec6b539841c487f07c30e8f43bf0b16e1b72d4881957
SHA512

e6b5e63b6a957704bab9b20402385a0bbd80d6c6b02071b13741084cee727ff893b4900aaf344ec52acccddaa1e3527e4a1d775e65bb77a98a64a63f7a207112
SSDEEP

6144:rp8MVMvvlPRr9UiR0brZ4dbKEpUr3p0Rq8xQiOu435sznaDsIUFzfgC:FrVMvv7bybrZ4uEpWpIqBiOVAnelUFzP

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.148:5050

Mutex

dcf8e560-2496-44cb-9ddb-90ff3f0546bf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-23T00:32:21.206554236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5050
default_group
wedding
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dcf8e560-2496-44cb-9ddb-90ff3f0546bf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.5.98.148
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b
- Size
  
  357KB
- MD5
  
  84c86b461afe2a2a02392beee58313e1
- SHA1
  
  f362a9be8a825e0940c18fe9139c2517f6728575
- SHA256
  
  26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b
- SHA512
  
  f0486af628753ca2a5fe8cad4f8139a11604361764db9840c9171b266d22aff0a942a9c92d0a252e5dc81c7e1388d0fa17e0212b9e29f4a82e893d4a6490de33
- SSDEEP
  
  6144:HNeZmC8pMv7OibcWkF+MeXbYpBpMqEVv138KeHMk7mP/9so2UL0dNCjJfGLR0:HNljJERMyEpNEVvcgwdNCjtGS
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan