nanocore

General

Target

Ark Survival Evolved Kaas v1.03.rar
Size

4.2MB
Sample

240414-xgql6sea2y
MD5

819069afe4a6b35f32bf54de45bbc2ed
SHA1

3af19f7c7487c9a28d34ce9a7ce7f63d74a10e37
SHA256

8e1b12ac91081bb113f9b5fc11ccc60c83500cc21381e0508e0d98e7a78fcc0a
SHA512

0ff739aac6aaf7062da073ab8f06ecd8614fd2510a10ed2dd9b6e01abad263ed19e852a4094020952a3025fe02e921cc2191ed6a89a4e6e2f97954d3d12a6042
SSDEEP

98304:zS65TGVSdVyr06vI8jkflLuhoyLd4ImtVQv8:zS61py06vIbtSdd4A8

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

openporting.ddns.net:13043

127.0.0.1:13043

Mutex

ffd4cc95-d79c-48c6-8d1b-e8c63c5cc74f

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2017-11-22T17:55:28.345024636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
13043
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffd4cc95-d79c-48c6-8d1b-e8c63c5cc74f
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
openporting.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Ark Survival Evolved Kaas v1.03/Extreme Injector v3.exe
- Size
  
  6.8MB
- MD5
  
  762792c828a199a4b2612d7bb5b45172
- SHA1
  
  00f51995bbcda1d1b79ea75e1e35881486f2711f
- SHA256
  
  ae44cab415cf1f312ff3c44f3ea7854b77e0af6708c2c63ac30e3de536dfdfe7
- SHA512
  
  d92f0a4625985c9c4dc7a6f2ec2bc62adb89828d521025474f12a035d8ffec024957516907ab6360a782c9c3a0c8c1278075eaefc1f45338770f79a042222df8
- SSDEEP
  
  49152:LKhg7C6i6vIFDExoXj2kCBEFKwbd0G9h5UN3bg3fElDy56RM0QCHga85y2qjwQyo:H
Score

10^/10

persistence nanocore evasion keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Ark Survival Evolved Kaas v1.03/pastedmeme.dll
- Size
  
  312KB
- MD5
  
  ceeb14625db5b5a6ea5bbbefdec8798d
- SHA1
  
  72fffb1b5c51b3e01d54f05a31351a325739702e
- SHA256
  
  5031494852158b93c9ceba4cc6b97dbeaf7080f54947aa02df3ca7b7c26d98e3
- SHA512
  
  901bf891db17058efe0c240afcab91b75cddff34c79eb73d45c91003c14bd968c104c2f8e019ae9091980a72bef3d43ede5da59ffc3139c8f3d7a2b7d9f795ff
- SSDEEP
  
  3072:MjmcpGdGLLvjqExlsY84RxGHNFBsUs4wjGPDkPiG6dk43tbW6cc23Rq9rIFtH7Ct:uPPxmJWM3Rs4wjGPDCixdKc8qd+tb+O
Score

3^/10
behavioral3 behavioral4