General

  • Target

    59B3453FDAAE52815822C89DF9595A8E54CBD22BCEFB7.exe

  • Size

    557KB

  • Sample

    221023-yx89wscdcm

  • MD5

    263a986b3341f186b7edde253915c8c8

  • SHA1

    8711abc4850708f609b47519489e9ec670bc53cf

  • SHA256

    59b3453fdaae52815822c89df9595a8e54cbd22bcefb75be3aae1b5c4d88df26

  • SHA512

    9990051333eaecb7564242266e8e43d92c53da239a0140ad865691a34bcb077fe7ee74e5ff45d207b7bb6f654d1dec7caef384e5958f6512e63710381f22b37a

  • SSDEEP

    12288:FrnpkjfuS8KEqUzx5ZxeSu7hvj4HkFTSm5LglIBF3X3um:JpkTuSCqUbA71jUkFDL5BF3X3V

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

microsoft1337.ddns.net:1447

41.216.183.49:1447

Mutex

937bb3d2-5fda-473f-a587-a19ec5938661

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    41.216.183.49

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-07-30T21:53:43.883522036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1447

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    937bb3d2-5fda-473f-a587-a19ec5938661

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    microsoft1337.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      59B3453FDAAE52815822C89DF9595A8E54CBD22BCEFB7.exe

    • Size

      557KB

    • MD5

      263a986b3341f186b7edde253915c8c8

    • SHA1

      8711abc4850708f609b47519489e9ec670bc53cf

    • SHA256

      59b3453fdaae52815822c89df9595a8e54cbd22bcefb75be3aae1b5c4d88df26

    • SHA512

      9990051333eaecb7564242266e8e43d92c53da239a0140ad865691a34bcb077fe7ee74e5ff45d207b7bb6f654d1dec7caef384e5958f6512e63710381f22b37a

    • SSDEEP

      12288:FrnpkjfuS8KEqUzx5ZxeSu7hvj4HkFTSm5LglIBF3X3um:JpkTuSCqUbA71jUkFDL5BF3X3V

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks