nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

nanacore.zip
Size

6.2MB
Sample

230327-1yrgkshe2x
MD5

97cfe2bfb32bb1facf7d24b4a3a30dfd
SHA1

87e692a826a4673b7b769e2d00cb3459f906148e
SHA256

5809a1e4b5ac6b59aea48113f1f921e9bf81476a335f244442d5ea85632d3ff4
SHA512

16707d6c746558d8023ba22585a22ba09102fb3ef13a2a01d50c0fcf8c3fca31450db27798a03f6a99dc39105c593620a9fbab5cb3c523275b7a6e4ad2c5e6c7
SSDEEP

98304:AUzpr8SNLih/qDkBWcmgbknt1ARgvOWrVylqjvjdZr1UBCFC6/IxCFMBs3hWVgk8:A4Jm/IcBKAbWZy8dwB22kuBAhWVlVT4

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

127.0.0.1:54984

Mutex

f5968560-41da-44be-bf8f-6c3fa860d635

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-01-27T19:59:02.057482736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f5968560-41da-44be-bf8f-6c3fa860d635
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  nanacore/1.exe
- Size
  
  202KB
- MD5
  
  7262cd751358cfecb8d31ff81575ac29
- SHA1
  
  fcab5f0e392ae5477635a7ced23bd1d377e69e16
- SHA256
  
  4667ca924aa5cbfd0a793da30825f5cb7ea98b2ddf83377c7b6ed91d73c3420c
- SHA512
  
  eaaead267bbcf1bda32d7f978493a02f6f87ae5c2af7d5d3ff67ee0d097d540e3ae3c222282b7c97edbbda9a31b608e69db2374aab2346b7f25108912173c7ef
- SSDEEP
  
  3072:wzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HItMzhzRWEV9UWlv38SAB:wLV6Bta6dtJmakIM5NFAyUWlv3PAB
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1
- Target
  
  nanacore/ClientPlugin.dll
- Size
  
  19KB
- MD5
  
  bdc8945f1d799c845408522e372d1dbd
- SHA1
  
  874b7c3c97cc5b13b9dd172fec5a54bc1f258005
- SHA256
  
  61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
- SHA512
  
  4fa0ed4ef66e4c442f5fc628e8bfc8a4f84cb213210643996d9387027edb619c054f6104ac889ae77cece09f0304f95d5f20e14d66847e2d382ef51eecec0962
- SSDEEP
  
  192:VYLQui6h6p5WW3tZVTnlYJL/eLYLTr2/C8:VYLQu/6/fKqLYLTR
Score

1^/10
behavioral2
- Target
  
  nanacore/NanoCore.exe
- Size
  
  1.4MB
- MD5
  
  1728acc244115cbafd3b810277d2e321
- SHA1
  
  be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
- SHA256
  
  ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
- SHA512
  
  8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
- SSDEEP
  
  24576:d7dOT1b7eAJzjSTUd+21nm3kEvpqZ0vSxmfexX6shz07DTl/uz:d7dqVw2+2KkS4PmGX6og7
Score

1^/10
behavioral3
- Target
  
  nanacore/PluginCompiler.exe
- Size
  
  75KB
- MD5
  
  e2d1c5df11f9573f6c5d0a7ad1a79fbf
- SHA1
  
  b32bf571aca1b51af48f7f2f955aaf1bbdc5aa2f
- SHA256
  
  0b41b2fcd0f1a4e913d3efe293f713849d59efebb27bac060ab31bed51ac2f6b
- SHA512
  
  9c9ae7baa504dd34311f5730280f6a49e10eefdb145d2d29849e385a7da47c8f2c182cd6f39949f5904ef8462fc5c3dfaf1bc4cc8bff50c6750c9edc886192e0
- SSDEEP
  
  1536:iyVzgm8NqToL6n975lw8FDx39EhPKu4iV1Y:iyVMLUTos5SAx3ChPKpiVe
Score

1^/10
behavioral4
- Target
  
  nanacore/ServerPlugin.dll
- Size
  
  28KB
- MD5
  
  952c62ec830c63380beb72ad923d35dc
- SHA1
  
  6700baa1fb1877129e79402dfe237f0b84221b69
- SHA256
  
  2e5fbfb7932b117a2f6093dc346cdee4a5702e39739d9c40d27bfd1580f6f0d7
- SHA512
  
  5dc19d7d6ab7670ded766f357e481328c8df4a96ac3c2a00194a5ccea8c34bca0e34cfea3d9d17934db384d302446be2fec9853438371561d70580665bffe121
- SSDEEP
  
  384:7LmAEURVWGSCyo6/NLoqwXEsZmLTdFuoKy:vm1izOlg0ZKy
Score

1^/10
behavioral5
- Target
  
  nanacore/System.Data.SQLite.dll
- Size
  
  256KB
- MD5
  
  dd3d6f00b1aba3f1d9338d9727ab5f17
- SHA1
  
  faf9364a7ab15f27c93a6e6f97fa025030c9dad7
- SHA256
  
  f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4
- SHA512
  
  0794d850a133a98affe627e3023114b229b982e507d366895ece6a1ef99b42d708554c64b52f0f2ed63673e1c5aeea7e794085d45f0797159e21ba4efdf23cd7
- SSDEEP
  
  6144:icvnEsATddHqgM69uZ5iFNFGFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchF1:icvnEygM69uZ8FNFGFOFwcGF6cmFWc0z
Score

1^/10
behavioral6
- Target
  
  nanacore/client.bin
- Size
  
  130KB
- MD5
  
  906a949e34472f99ba683eff21907231
- SHA1
  
  7c5a57af209597fa6c6bce7d1a8016b936d3b0b6
- SHA256
  
  9d3ea5af7dc261bf93c76f55d702a315aa22fb241e4207dc86cd834c262245c8
- SHA512
  
  29fd20ae7f1b8bac831c0bb85da4325a62e10961989e14299f5f50776c8f7e669cc1527bf2c3868bd7230e73ac110ba8b1f0491ac0f2923d79d7a2871c7c961d
- SSDEEP
  
  3072:pzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HI0AkU:pLV6Bta6dtJmakIM5VU
Score

10^/10

nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks whether UAC is enabled
  evasion trojan
behavioral7
- Target
  
  nanacore/x64/SQLite.Interop.dll
- Size
  
  1.3MB
- MD5
  
  382398711315e2fa8e93d305b4873908
- SHA1
  
  51482242e6d9170963aa27192c8279d20fce19ce
- SHA256
  
  270d61d183cff3dafad0db3dbe7942374552044baea1e28411c3a143cb620c02
- SHA512
  
  084217e67c125cb9952b91bc9783faf5c1e8fb01750cc1e6b4c3736c47b74dcf3207979c1c497e630e161aff529f71c403af6ca0232a7c3e9e587b58e4495589
- SSDEEP
  
  24576:fG4Gnwh2IK88uyMGI1YSbmdtDxnrW1oC0AZDvDetNQT7f+5eKMUxThC35:ewh2IKAYjtNme5eeG
Score

1^/10
behavioral8
- Target
  
  nanacore/x86/SQLite.Interop.dll
- Size
  
  792KB
- MD5
  
  9b19dcee960dc215e64b1d82348707a9
- SHA1
  
  9c1e0f76673eb385787120e17404df179316ca2b
- SHA256
  
  3515f704b0012c01fc8be5b717905c0587b29255fc9eb7ad3f2b66a130691d38
- SHA512
  
  cc1304ab171feb2ac6df941f4b35aab8ce7b503f96b5539b366b39268cce8b21ea2fdbce16eff809a9a121a60a65ebbd0f59f75360800f541b9e5f93e729a55d
- SSDEEP
  
  12288:iIF0SBEkDG7/jznRefvOIVcn4PW5d6PrVJNcdwLzs9w:iIYkDG7rznRenOIVc4PW76TbK
Score

1^/10
behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds Run key to start application

Checks whether UAC is enabled

NanoCore

Checks whether UAC is enabled

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9