nanocore | 8a0b3ba6dec891704a1ed2e31cae766491fa7e1acb5007a7acfcad32f9834a96

Analysis

max time kernel
156s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb71eeb1ef688efb7807a1c182691cb.exe
Size

863KB
MD5

4bb71eeb1ef688efb7807a1c182691cb
SHA1

34329d26f0c014ca876906e268975778664db10c
SHA256

8a0b3ba6dec891704a1ed2e31cae766491fa7e1acb5007a7acfcad32f9834a96
SHA512

beb9afece303805a852656aab89b5e054c9a2c3a2848c7662a57d37da3f4c6d6d44a8aea89a8f70abfe600abc441b8effb7e10321c6c37e4b46fa5095c8a26de
SSDEEP

24576:9omEXz/VmHV+Wha4xqbtbciqTyoHB17mo5oFCEkv:SmqU1doyqbtbUysHosv

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

185.244.30.238:1985

127.0.0.1:1985

Mutex

cd36de34-478d-427e-a222-53f75c55abae

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-08T22:16:27.321077136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
Kdott
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cd36de34-478d-427e-a222-53f75c55abae
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.244.30.238
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1776-10-0x0000000005090000-0x00000000050A2000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106
PID 1776 wrote to memory of 4980	1776	4bb71eeb1ef688efb7807a1c182691cb.exe	106

C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe
"C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe
  "C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"
  2⤵
  PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1776-8-0x0000000005BA0000-0x0000000005BF6000-memory.dmp

Filesize
344KB

Download
memory/1776-9-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/1776-2-0x0000000005690000-0x000000000572C000-memory.dmp

Filesize
624KB

Download
memory/1776-3-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/1776-4-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/1776-5-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1776-6-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/1776-7-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/1776-1-0x0000000000B80000-0x0000000000C5E000-memory.dmp

Filesize
888KB

Download
memory/1776-10-0x0000000005090000-0x00000000050A2000-memory.dmp

Filesize
72KB

Download
memory/1776-0-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/1776-11-0x0000000006C70000-0x0000000006CF6000-memory.dmp

Filesize
536KB

Download
memory/1776-12-0x0000000005C90000-0x0000000005CCE000-memory.dmp

Filesize
248KB

Download
memory/1776-17-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4980-14-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/4980-15-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/4980-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download