Overview

overview

10

Static

static

0d03652829...11.exe

windows7-x64

10

0d03652829...11.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0d03652829a701d6f10fef4bef7d79bd0ef836357124014ab11abc8b82280411

  • Size

    510KB

  • Sample

    221126-p5fg4sdh49

  • MD5

    10392419cb97431d693712910d2bba7f

  • SHA1

    d1dac868123aaaeaa34bb9da78c6b7baa92ebe0f

  • SHA256

    0d03652829a701d6f10fef4bef7d79bd0ef836357124014ab11abc8b82280411

  • SHA512

    ea6ee002dbfde13cfe81575650ce9fec23c70712a85efa7faf41beb47b59dbaac2bcb161cc867460b2af6706de0838d78a7d7239ade6048929748c7663ac0751

  • SSDEEP

    12288:hHydEDWst7ygQ7SNfdGQ/2kIgfcXOy7lrJ6wSB:hSdEDW2pTp/2zgUz7ld6wo

Score
10/10
nanocoremicrosoftkeyloggerpersistencephishingspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

testalerlynch.ddns.net:18302

Mutex

e51f8f31-3ce4-4f7e-93d5-a814d67af600

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2014-10-23T20:57:58.875240636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    18302

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e51f8f31-3ce4-4f7e-93d5-a814d67af600

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    testalerlynch.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.1.1

  • wan_timeout

    8000

Targets

    • Target

      0d03652829a701d6f10fef4bef7d79bd0ef836357124014ab11abc8b82280411

    • Size

      510KB

    • MD5

      10392419cb97431d693712910d2bba7f

    • SHA1

      d1dac868123aaaeaa34bb9da78c6b7baa92ebe0f

    • SHA256

      0d03652829a701d6f10fef4bef7d79bd0ef836357124014ab11abc8b82280411

    • SHA512

      ea6ee002dbfde13cfe81575650ce9fec23c70712a85efa7faf41beb47b59dbaac2bcb161cc867460b2af6706de0838d78a7d7239ade6048929748c7663ac0751

    • SSDEEP

      12288:hHydEDWst7ygQ7SNfdGQ/2kIgfcXOy7lrJ6wSB:hSdEDW2pTp/2zgUz7ld6wo

    Score
    10/10
    nanocorekeyloggerpersistencespywarestealertrojanmicrosoftphishing

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks