Malware Analysis Report

2025-08-05 14:34

Sample ID 221127-ajf47afa56
Target 33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead
SHA256 33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead

Threat Level: Known bad

The file 33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

Nanocore family

NanoCore

Checks whether UAC is enabled

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-27 00:14

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-27 00:14

Reported

2022-11-27 17:56

Platform

win7-20220812-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe

"C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp

Files

memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1672-55-0x00000000744F0000-0x0000000074A9B000-memory.dmp

memory/1672-56-0x00000000744F0000-0x0000000074A9B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-27 00:14

Reported

2022-11-27 17:56

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe

"C:\Users\Admin\AppData\Local\Temp\33cff81b60c20bfcee9dae89fc20d04357f483603438d192d2f39a93630caead.exe"

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 67.26.105.254:80 tcp
N/A 20.54.89.106:443 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 104.46.162.224:443 tcp
N/A 93.184.220.29:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 209.197.3.8:80 tcp
N/A 8.238.20.126:80 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 facebook32.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp
N/A 8.8.8.8:53 470347.ignorelist.com udp
N/A 127.0.0.2:63781 tcp

Files

memory/2816-132-0x0000000074CA0000-0x0000000075251000-memory.dmp

memory/2816-133-0x0000000074CA0000-0x0000000075251000-memory.dmp