Overview

overview

10

Static

static

2dbf68789f...15.exe

windows7-x64

10

2dbf68789f...15.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2dbf68789ff9a2847fffb4afb9eec6e57b4271f266d70a547061a4cfa8044615

  • Size

    506KB

  • Sample

    221127-qmpthaah26

  • MD5

    2094bcda6fa0597fa1f165628400a469

  • SHA1

    da47bfd7f50e0b9e0727d09dcff4827f07e0d281

  • SHA256

    2dbf68789ff9a2847fffb4afb9eec6e57b4271f266d70a547061a4cfa8044615

  • SHA512

    7a7a2b9ba6947752aa85074a6eff44b3499409663b12c97ebbb24e36edd087165e6a0a2e63b83cc470a57c62940ba2887f4aee17c065c2e4fa00ab8066bd8164

  • SSDEEP

    6144:vPMNhL2mdS8b8lZvN8hLrt6qnNEWSWbKFqkaGuj6LV:vPKhKme2KQ/SWW0vGuj6LV

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Targets

    • Target

      2dbf68789ff9a2847fffb4afb9eec6e57b4271f266d70a547061a4cfa8044615

    • Size

      506KB

    • MD5

      2094bcda6fa0597fa1f165628400a469

    • SHA1

      da47bfd7f50e0b9e0727d09dcff4827f07e0d281

    • SHA256

      2dbf68789ff9a2847fffb4afb9eec6e57b4271f266d70a547061a4cfa8044615

    • SHA512

      7a7a2b9ba6947752aa85074a6eff44b3499409663b12c97ebbb24e36edd087165e6a0a2e63b83cc470a57c62940ba2887f4aee17c065c2e4fa00ab8066bd8164

    • SSDEEP

      6144:vPMNhL2mdS8b8lZvN8hLrt6qnNEWSWbKFqkaGuj6LV:vPKhKme2KQ/SWW0vGuj6LV

    Score
    10/10
    nanocorekeyloggerpersistencespywarestealertrojan

    • Modifies WinLogon for persistence

      persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks