General
-
Target
packs.zip
-
Size
85.9MB
-
Sample
230609-s2ctlace43
-
MD5
be4bb766344987170ebd89c1beb5ad21
-
SHA1
f8c58ed0d9278d96647ff0e265958d8223f784a2
-
SHA256
80266abf7c6d6541542ea6893bd0b9769ef4cb8a883f33171ba808efe9a5099e
-
SHA512
6b272e569ee02f440b8c4d8dbf309ef444877b483f434c82c771a78787131b221f2af91a9ed237ed27d43c017a8fbd32a0eded9f324d7b44842cc72014cba9f1
-
SSDEEP
786432:nvCudIpEhlYXhlJlx2vJgahQmFKTmhlVmhl6hl+P1XEhkehZtN3+cJDhlQZohl7u:nv2/T8KP1XEF+cJcZAK9
Malware Config
Extracted
nanocore
1.2.2.0
Oranjun-60963.portmap.io:60963
127.0.0.1:60963
6bda8f93-44d6-4376-9ae5-7bed6258711c
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-03-13T20:16:30.682088336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
60963
-
default_group
Client
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6bda8f93-44d6-4376-9ae5-7bed6258711c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
Oranjun-60963.portmap.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
packs.zip
-
Size
85.9MB
-
MD5
be4bb766344987170ebd89c1beb5ad21
-
SHA1
f8c58ed0d9278d96647ff0e265958d8223f784a2
-
SHA256
80266abf7c6d6541542ea6893bd0b9769ef4cb8a883f33171ba808efe9a5099e
-
SHA512
6b272e569ee02f440b8c4d8dbf309ef444877b483f434c82c771a78787131b221f2af91a9ed237ed27d43c017a8fbd32a0eded9f324d7b44842cc72014cba9f1
-
SSDEEP
786432:nvCudIpEhlYXhlJlx2vJgahQmFKTmhlVmhl6hl+P1XEhkehZtN3+cJDhlQZohl7u:nv2/T8KP1XEF+cJcZAK9
Score10/10-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Registers COM server for autorun
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
2Hidden Files and Directories
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
3Hidden Files and Directories
1