General

  • Target

    7423de8c040d89fa19338afccfe7baa6

  • Size

    2.1MB

  • Sample

    240125-jqttascagp

  • MD5

    7423de8c040d89fa19338afccfe7baa6

  • SHA1

    9abbee485cacd5d6c0115d8f5f06f4a01d9309c9

  • SHA256

    23620de64b663a58b2c29f39863e8b4052d7f819fd69685e56d26426927dcfa3

  • SHA512

    cf28260b94cbcc91796623bcdb192eb1d02935b3891b8d011c0a4602dd748fba1b678d8de0567762c7a96a4a06d9bd5b1196eed248fd23afc67891077cc54817

  • SSDEEP

    49152:yav4KJbboJXTKy2GmKFYrb0INa4uf5JJhDziO5FASrRxBQt2/j8OkYdzFRZIJMdN:yuFVbWXWjBAY0wHLqa+zyyj885RZBN

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.244.30.139:4050

Mutex

52e05d5b-dcbb-4f70-86bd-eb80b3602ddc

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-02-09T23:01:15.091230736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4050

  • default_group

    money

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    52e05d5b-dcbb-4f70-86bd-eb80b3602ddc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    185.244.30.139

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      7423de8c040d89fa19338afccfe7baa6

    • Size

      2.1MB

    • MD5

      7423de8c040d89fa19338afccfe7baa6

    • SHA1

      9abbee485cacd5d6c0115d8f5f06f4a01d9309c9

    • SHA256

      23620de64b663a58b2c29f39863e8b4052d7f819fd69685e56d26426927dcfa3

    • SHA512

      cf28260b94cbcc91796623bcdb192eb1d02935b3891b8d011c0a4602dd748fba1b678d8de0567762c7a96a4a06d9bd5b1196eed248fd23afc67891077cc54817

    • SSDEEP

      49152:yav4KJbboJXTKy2GmKFYrb0INa4uf5JJhDziO5FASrRxBQt2/j8OkYdzFRZIJMdN:yuFVbWXWjBAY0wHLqa+zyyj885RZBN

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks