nanocore

General

Target

f80bd53a58316d8fb43c24725c923ff2.exe
Size

4.1MB
Sample

231006-rrvqzseh73
MD5

f80bd53a58316d8fb43c24725c923ff2
SHA1

45c116a5e5e1680c47dd01605aa5d5033b436162
SHA256

e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
SHA512

3a0f0dcba8a4cbe3a9185f8965a9201e0fdfd0179fb374fbb590bfb717d71ad6a102a890322ba69447bb7ba16f6dd583af9a92c673cb34a2ddef21876ecd3634
SSDEEP

98304:FzEls77BGpj21HbwiWDO7PLgJSZdhmrJcgltWjW6ftjkn/0L4yGZ//2LXWAgUq:F17tGKHbIDO7DMorOqglAj3Sq4P2LmxU

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:54984

nojewsjwooujweq.duckdns.org:54984

Mutex

1da888af-eaab-4d01-bce7-7d314165f9b1

Attributes

activate_away_mode
true
backup_connection_host
nojewsjwooujweq.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-07-18T15:13:25.638938236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1da888af-eaab-4d01-bce7-7d314165f9b1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fgudhiiugiufgifufgihdhuidfxgd.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

warzonerat

C2

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:5200

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

fgudhiiugiufgifufgihdhuidfxgd.duckdns.org:4782

Mutex

c01ef685-50b2-41b1-af94-aee5bc04e6fd

Attributes

encryption_key
6550C5FD133683B3330870C778B7DB73E923F472
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Targets

- Target
  
  f80bd53a58316d8fb43c24725c923ff2.exe
- Size
  
  4.1MB
- MD5
  
  f80bd53a58316d8fb43c24725c923ff2
- SHA1
  
  45c116a5e5e1680c47dd01605aa5d5033b436162
- SHA256
  
  e844192fb4c52758db729e18e8898fe0921bdbe1e2d3ac3da6a6b5d2cedecb71
- SHA512
  
  3a0f0dcba8a4cbe3a9185f8965a9201e0fdfd0179fb374fbb590bfb717d71ad6a102a890322ba69447bb7ba16f6dd583af9a92c673cb34a2ddef21876ecd3634
- SSDEEP
  
  98304:FzEls77BGpj21HbwiWDO7PLgJSZdhmrJcgltWjW6ftjkn/0L4yGZ//2LXWAgUq:F17tGKHbIDO7DMorOqglAj3Sq4P2LmxU
Score

10^/10

nanocore quasar warzonerat slave evasion infostealer keylogger persistence rat spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2