nanocore

General

Target

bbe4ba566d229a405da3af72193d297f.exe
Size

1.3MB
Sample

230205-z1kw5sah45
MD5

bbe4ba566d229a405da3af72193d297f
SHA1

ffb73821d698bc2e32f1a32c7adf95e66520c7a8
SHA256

aeb8e080b996a75f85bb82e2e7a42d0302735713f34fb95fff1bfb97a030e107
SHA512

a3ba9225b2719f482f807fe91217cdccbb9c415d54a8cd4531960bf20456868ba7fb1be2e473c26f306c33b74615a6f5192f0c852dca25c66e6d63a4cbb25529
SSDEEP

24576:8ixNAopnJcU4TgHosbIY95AcS1h9VOzYJ0Natxb:8iFpnx4TUosbIYEcSGQ06

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rcontrol4sec.ddnsgeek.com:5080

127.0.0.1:5080

Mutex

19b525d2-02f6-47c5-b606-1d038212d191

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-11-12T11:11:53.819338936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5080
default_group
Set
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
19b525d2-02f6-47c5-b606-1d038212d191
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rcontrol4sec.ddnsgeek.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  bbe4ba566d229a405da3af72193d297f.exe
- Size
  
  1.3MB
- MD5
  
  bbe4ba566d229a405da3af72193d297f
- SHA1
  
  ffb73821d698bc2e32f1a32c7adf95e66520c7a8
- SHA256
  
  aeb8e080b996a75f85bb82e2e7a42d0302735713f34fb95fff1bfb97a030e107
- SHA512
  
  a3ba9225b2719f482f807fe91217cdccbb9c415d54a8cd4531960bf20456868ba7fb1be2e473c26f306c33b74615a6f5192f0c852dca25c66e6d63a4cbb25529
- SSDEEP
  
  24576:8ixNAopnJcU4TgHosbIY95AcS1h9VOzYJ0Natxb:8iFpnx4TUosbIYEcSGQ06
Score

10^/10

nanocore purecrypter downloader evasion keylogger loader persistence spyware stealer trojan
- Detect PureCrypter injector
  loader
- Modifies WinLogon for persistence
  persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect PureCrypter injector

Modifies WinLogon for persistence

PureCrypter

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2