nanocore | c8a29dfe9f1c9b1d9bd494211010c8ec333ac6d5cc6415c92be71032f824adf8 | Triage

Sharing

General

Target

c8a29dfe9f1c9b1d9bd494211010c8ec333ac6d5cc6415c92be71032f824adf8
Size

718KB
Sample

221128-gftpfaed4w
MD5

39b8dfc53e2109f8e5dc4e0c3d7b5843
SHA1

20977e59da603fbf9e8fab1a32ab6ab1453af621
SHA256

c8a29dfe9f1c9b1d9bd494211010c8ec333ac6d5cc6415c92be71032f824adf8
SHA512

6dcb87b5ace0f6b212ef166ba4bdcd028cfa9ca2229ce87f407a1be1efcadded5d9ca51f87670022e77c95f57a98877d929cd2740e8d552c7e13224c6c1c3d64
SSDEEP

12288:O8mxVfMRDYVeARz1/XUEMPEv2A8WHZGkb8DDW3fffVIcx7NKBIvwZL7oMdl:O8+fMRE3zZXoPQOW5GkgDDW3f6chloZT

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

paulcoe.ignorelist.com:2000

Mutex

8a449960-464c-4824-aa6a-a322882ebd5a

Attributes

activate_away_mode
false
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2014-09-27T23:28:24.060949036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2000
default_group
BATCH B
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8a449960-464c-4824-aa6a-a322882ebd5a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
paulcoe.ignorelist.com
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Targets

- Target
  
  c8a29dfe9f1c9b1d9bd494211010c8ec333ac6d5cc6415c92be71032f824adf8
- Size
  
  718KB
- MD5
  
  39b8dfc53e2109f8e5dc4e0c3d7b5843
- SHA1
  
  20977e59da603fbf9e8fab1a32ab6ab1453af621
- SHA256
  
  c8a29dfe9f1c9b1d9bd494211010c8ec333ac6d5cc6415c92be71032f824adf8
- SHA512
  
  6dcb87b5ace0f6b212ef166ba4bdcd028cfa9ca2229ce87f407a1be1efcadded5d9ca51f87670022e77c95f57a98877d929cd2740e8d552c7e13224c6c1c3d64
- SSDEEP
  
  12288:O8mxVfMRDYVeARz1/XUEMPEv2A8WHZGkb8DDW3fffVIcx7NKBIvwZL7oMdl:O8+fMRE3zZXoPQOW5GkgDDW3f6chloZT
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan