nanocore | 2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555 | Triage

Submit
Reports

Overview

overview

Static

static

2f244fdc56...55.exe

windows7-x64

2f244fdc56...55.exe

windows10-2004-x64

Sharing

General

Target

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
Size

1.7MB
Sample

230129-r7251abe83
MD5

572deaae035dc45bfde695cf2c4eca9c
SHA1

23ac65e7d81d1937f3637e249d8daf03ee820bb4
SHA256

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
SHA512

0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d
SSDEEP

12288:ln4oojsadZIcSZzd9xU9DHhilbu300g6LUmhhVHq5snzVXvePiupREJXmBe8kkkS:eoOdScazTxRCEyLUm7HXvczZDwTs1

Score

10^/10

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe

Resource

win7-20221111-en

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555.exe

Resource

win10v2004-20221111-en

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

netwire

C2

divinevilla.hopto.org:3680

divinevilla9.duckdns.org:3680

Attributes

activex_autorun
true
activex_key
{4U0P1HV1-08W6-Q5LN-WDDU-VOF57B3X5Q6B}
copy_executable
true
delete_original
false
host_id
2019BLESSINGS
install_path
%AppData%\Install\xpsz.exe
keylogger_dir
%AppData%\Logs\
lock_executable
true
mutex
MkPFjgDl
offline_keylogger
true
password
teamoluwa1
registry_autorun
true
startup_name
vixx
use_mutex
true

Targets

- Target
  
  2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
- Size
  
  1.7MB
- MD5
  
  572deaae035dc45bfde695cf2c4eca9c
- SHA1
  
  23ac65e7d81d1937f3637e249d8daf03ee820bb4
- SHA256
  
  2f244fdc56d40e039b94ddb5b4f14ae389b9c057af2991c6037220f488462555
- SHA512
  
  0c8a7a75893af6413da2034de0b901476c9db94ca50f2ea757f77787b7816a9f53c71b5af6c527670ad85c46b892e244c623dc57096b3ebc76ccd497a8ef1d4d
- SSDEEP
  
  12288:ln4oojsadZIcSZzd9xU9DHhilbu300g6LUmhhVHq5snzVXvePiupREJXmBe8kkkS:eoOdScazTxRCEyLUm7HXvczZDwTs1
Score

10^/10

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

nanocorenetwirebotnetevasionkeyloggerpersistenceratspywarestealertrojan

behavioral2

nanocorenetwirebotnetevasionkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy