nanocore | 39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

General

Target

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
Size

1.9MB
MD5

b2edfeaa3ac26d6025aac0b92788ed11
SHA1

4d6a5d91254ef3de3da4db6a399beb1fc2ede177
SHA256

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af
SHA512

3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234
SSDEEP

12288:X0LQ8daG/UYCCsUF4oYckcQRQo1wwVigOK8USPmnZ385EuL/C6shsyE6kGMgPYzz:XIKuL/CYzOmcJs28PpnuIIdw

Score

10^/10

nanocore netwire botnet keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

C2

alex419.duckdns.org:60622

178.239.21.185:60622

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
GRACE101
install_path
%AppData%\Install\file.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
NwgwuGDR
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Abobex
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\file.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\file.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

Host.exefileremitz.exefile.exefileremitz.exe

pid process

3216 Host.exe
2284 fileremitz.exe
3972 file.exe
5012 fileremitz.exe

pid	process
3216	Host.exe
2284	fileremitz.exe
3972	file.exe
5012	fileremitz.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Host.exe39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Abobex = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\file.exe"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fileremitz = "C:\\Users\\Admin\\subfolder\\fileremitz.vbs -VC"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fileremitz.exe

description pid process target process

PID 2284 set thread context of 5012 2284 fileremitz.exe fileremitz.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2284 set thread context of 5012	2284	fileremitz.exe	fileremitz.exe

Modifies registry class 1 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exefileremitz.exe

pid process

4884 39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
2284 fileremitz.exe

pid	process
4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
2284	fileremitz.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exeHost.exefileremitz.exe

description	pid	process	target process
PID 4884 wrote to memory of 3216	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 4884 wrote to memory of 3216	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 4884 wrote to memory of 3216	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 4884 wrote to memory of 4900	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 4884 wrote to memory of 4900	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 4884 wrote to memory of 4900	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 4884 wrote to memory of 2284	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 4884 wrote to memory of 2284	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 4884 wrote to memory of 2284	4884	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 3216 wrote to memory of 3972	3216	Host.exe	file.exe
PID 3216 wrote to memory of 3972	3216	Host.exe	file.exe
PID 3216 wrote to memory of 3972	3216	Host.exe	file.exe
PID 2284 wrote to memory of 5012	2284	fileremitz.exe	fileremitz.exe
PID 2284 wrote to memory of 5012	2284	fileremitz.exe	fileremitz.exe
PID 2284 wrote to memory of 5012	2284	fileremitz.exe	fileremitz.exe

C:\Users\Admin\AppData\Local\Temp\39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
"C:\Users\Admin\AppData\Local\Temp\39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Roaming\Install\file.exe
"C:\Users\Admin\AppData\Roaming\Install\file.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3972

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\subfolder\fileremitz.vbs"
2⤵
- Adds Run key to start application
PID:4900

C:\Users\Admin\subfolder\fileremitz.exe
"C:\Users\Admin\subfolder\fileremitz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\subfolder\fileremitz.exe
C:\Users\Admin\subfolder\fileremitz.exe"
3⤵
- Executes dropped EXE
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Roaming\Install\file.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Roaming\Install\file.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.vbs
Filesize
1024B

MD5
84ac02433ae365d34512ee0013da1f93

SHA1
5bbe796a76a1063e8b857457ebfda5ea41222c29

SHA256
a8c6a45b6dc4a8cdd5ae5ed775335c1c7a50cf2fe2f312c1f2d19e9d5c5107c7

SHA512
028c15b847bd30239fb84714c165c430b51a94107ec73951eeac53df8bfef8590f51d62093ecafac47047dd078a18eb98a95ee8ea205a5d9e8625fde26c70ccd

Download Submit
memory/2284-158-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/2284-154-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/2284-153-0x00007FF8294B0000-0x00007FF8296A5000-memory.dmp

Filesize
2.0MB

Download
memory/2284-141-0x0000000000000000-mapping.dmp

Download
memory/2284-155-0x0000000002160000-0x0000000002167000-memory.dmp

Filesize
28KB

Download
memory/3216-137-0x0000000000000000-mapping.dmp

Download
memory/3972-150-0x0000000000000000-mapping.dmp

Download
memory/4884-134-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/4884-135-0x00007FF8294B0000-0x00007FF8296A5000-memory.dmp

Filesize
2.0MB

Download
memory/4884-136-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/4884-148-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/4884-146-0x00007FF8294B0000-0x00007FF8296A5000-memory.dmp

Filesize
2.0MB

Download
memory/4884-143-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/4900-140-0x0000000000000000-mapping.dmp

Download
memory/5012-163-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/5012-161-0x0000000000940000-0x0000000000947000-memory.dmp

Filesize
28KB

Download
memory/5012-156-0x0000000000000000-mapping.dmp

Download
memory/5012-159-0x00007FF8294B0000-0x00007FF8296A5000-memory.dmp

Filesize
2.0MB

Download
memory/5012-160-0x0000000076E70000-0x0000000077013000-memory.dmp

Filesize
1.6MB

Download
memory/5012-162-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads