nanocore | d494ddeb530deffdbe0622d70320a3f14b2d9a504235ed4c67c1fc2290dfdca8 | Triage

Sharing

General

Target

d494ddeb530deffdbe0622d70320a3f14b2d9a504235ed4c67c1fc2290dfdca8
Size

875KB
Sample

221128-xxy89aea9w
MD5

c32f92436f285f0ab5a144d1b2343f97
SHA1

fdc1fc724f93f5fedc5e70cde9931b0b30b1de3d
SHA256

d494ddeb530deffdbe0622d70320a3f14b2d9a504235ed4c67c1fc2290dfdca8
SHA512

724d3b2e733ef02619f8f0ff7d4d5991beb05f532d3f81ebcddbe166e4f599f129e5a73aff700a29bc2d19614f9e4cd0eab31837d10474735ab3b003c90ddb3d
SSDEEP

12288:vIcawjSgdz7k6FPL1Jd7hR4U4Z5k25Z4O6cDJEAEzeh71svn3FzmP7I4:QcNn1v7hyHzPc8JtEzeN1W3E3

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

jesusfountain.redirectme.net:54557

Mutex

93e4b02c-abdc-4e66-ae1c-828d68851ee9

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65535
build_time
2014-10-21T10:21:59.185241736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54557
default_group
Project School
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
93e4b02c-abdc-4e66-ae1c-828d68851ee9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jesusfountain.redirectme.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Targets

- Target
  
  d494ddeb530deffdbe0622d70320a3f14b2d9a504235ed4c67c1fc2290dfdca8
- Size
  
  875KB
- MD5
  
  c32f92436f285f0ab5a144d1b2343f97
- SHA1
  
  fdc1fc724f93f5fedc5e70cde9931b0b30b1de3d
- SHA256
  
  d494ddeb530deffdbe0622d70320a3f14b2d9a504235ed4c67c1fc2290dfdca8
- SHA512
  
  724d3b2e733ef02619f8f0ff7d4d5991beb05f532d3f81ebcddbe166e4f599f129e5a73aff700a29bc2d19614f9e4cd0eab31837d10474735ab3b003c90ddb3d
- SSDEEP
  
  12288:vIcawjSgdz7k6FPL1Jd7hR4U4Z5k25Z4O6cDJEAEzeh71svn3FzmP7I4:QcNn1v7hyHzPc8JtEzeN1W3E3
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerspywarestealertrojan

behavioral2

nanocoreevasionkeyloggerspywarestealertrojan