nanocore

General

Target

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.zip
Size

24.0MB
Sample

230727-aldrvagf22
MD5

fc5cb01d39cb38b9bf1da53d28945583
SHA1

79d92fc9623258f81abbbccced99aec2db7711ba
SHA256

8c53fc138ab93483314185026bec3ddc9e41aeb22ca1025a08f5b55238836f4c
SHA512

032885957b09eab184e4e13f6110027a9e3ca8f7a2db52c654ca55f8f6df040e7439a39c9bf1b3ed05d03d0088d38acc7ae2be36fdc5432ef5283e05643983a3
SSDEEP

393216:Wc6gH2raByaZYflVeqRmbnjty96mqhj14WOrc62t91DFG55bgTYmGTnnTnRhNLiO:Wc6gTDCf5RkK6LlG2pY55bgTzsnTnncO

Score

10^/10

Malware Config

Extracted

Family

umbral

C2

https://ptb.discord.com/api/webhooks/1103062061308711013/DXAN2znESQvEc6dLNnLsauh1TMcs5L72kY-0mrCYe41GPo6f1JIFjlGouqYLTWexBszo

Extracted

Family

nanocore

Version

1.2.2.0

C2

8.tcp.ngrok.io:18184

Mutex

b3c03861-ff64-46a0-bbf6-30bd7e451c17

Attributes

activate_away_mode
true
backup_connection_host
8.tcp.ngrok.io
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-02-14T21:06:46.097983836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
18184
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b3c03861-ff64-46a0-bbf6-30bd7e451c17
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
8.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
- Size
  
  24.4MB
- MD5
  
  20d9ace6b4fff715f204ea2cf008e0ee
- SHA1
  
  988354b0667c23f749f9ade68b624d0525e95d10
- SHA256
  
  6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8
- SHA512
  
  b4930e4e9ddc0d5b163962c3fd70ff782f965154e3f16f275d1b261bf20ee864116c46c4de86df594ce602fc4b004464ab109389958cc646c3e7fc0533e7eb75
- SSDEEP
  
  393216:+7sxAlnJLFg3GT6+K7btWp3EqO97hu/m3pDnL8nbVB3Q7MP2sjwCfgM2p:+7xlVFFW+K7cG3GK03A7i2sjvgM2p
Score

10^/10

nanocore umbral evasion keylogger persistence pyinstaller spyware stealer trojan upx
- Detect Umbral payload
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2
- Target
  
  logz.pyc
- Size
  
  43KB
- MD5
  
  e8404b29b4fa30815c7588269eba266e
- SHA1
  
  38a2bcd9687e1d8585d1d80220f1dc02502131ce
- SHA256
  
  f82ca3bffe904933b523c3a2e42866e66847e1636a22ecc12de839a20dfa982a
- SHA512
  
  72456fe0714beaf61f8f2f42c0fe509cef16b03b4cb81719c30f7e766d5312510ca9594e2b3984642f64b62a5b24d59f593e0baec5cf79375ab6c942fdb155e6
- SSDEEP
  
  768:moP7h/z2Q4JESUP/8L541CnVWhc6ceJ+wu0wkWtiPucunDLkgMQFkgLdXNzINMU:ms7h/z2oF8VSCV0cL6Ru07WQfunnRug0
Score

3^/10
behavioral3 behavioral4