nanocore | addf69e7675bb4111997e21630447883474f34e0faf50215b7ac45595a042300 | Triage

Sharing

General

Target

562fc3234e53c14974bd59e5008f264438e67849ddaf11f06c4687fdd2da5311.bin.sample.gz
Size

1.1MB
Sample

230516-pw833ahh21
MD5

4d256d8e0e817b68fb4795dd30b9297f
SHA1

fbb0784f30bc9f59a6ccd465c9d89c0f55059c5d
SHA256

addf69e7675bb4111997e21630447883474f34e0faf50215b7ac45595a042300
SHA512

227e3033631202d59c84496cd54a3f1c7fd06541c150a066622af8e834d3bf5148d443a6ec9059e599c40dcdefbfde6d3ed0a28db5bc9eb370d6504d2efa2520
SSDEEP

24576:MuLdsbeXlkwvHknDI7SERIsoHLrhI17Tpb1/e431vSkBil:PsUiwcns7Te3HLdI1Cqv7il

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

syoll.duckdns.org:1604

Mutex

91a498dd-ff55-4709-b992-a5ee7715c9a2

Attributes

activate_away_mode
false
backup_connection_host
syoll.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-14T21:41:26.733185836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
91a498dd-ff55-4709-b992-a5ee7715c9a2
mutex_timeout
4985
prevent_system_sleep
false
primary_connection_host
syoll.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  sample
- Size
  
  2.1MB
- MD5
  
  ae177e42c4c6e273cb4219fff5e94981
- SHA1
  
  9b4c628e9aa7a81ada28dd4ba2490cef3a5ccede
- SHA256
  
  562fc3234e53c14974bd59e5008f264438e67849ddaf11f06c4687fdd2da5311
- SHA512
  
  b34261b51110f1b055fe6cd283d51620fc1c0d0cd25c87587cc434ea04074aa0ed1ad43f270383453b76b69db3cbf5708a21cf10948f874123d5fef09348ceba
- SSDEEP
  
  24576:LE1qXbolTK38T67YCE3DY1oNowiK33tQPtY6Zqx8dYkRQ53Ula4mJ8ZQI+QSD11a:LEMoVl3zWwx0qxnkRGcQI+1ZvWH
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoreevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionkeyloggerpersistencespywarestealertrojan