nanocore

General

Target

c7e73c4c0aa5c1ec7f90db1c6be8c1dfb33205583e04f5b963fcc5f3ff921e6e
Size

510KB
Sample

240417-r95nxaee4t
MD5

c90e0dcce96738c3fd9454ec75130318
SHA1

d17a2e71d0ad5760cac1dfd305dbfba6754cac7a
SHA256

c7e73c4c0aa5c1ec7f90db1c6be8c1dfb33205583e04f5b963fcc5f3ff921e6e
SHA512

f937e6c482ba55ea8a41eee53acf343a9f6ef062ad8511c87497b2125ad901d96aa6b5a64c3c9ad67917ab9baec66fafd76ad97618625d313c2b92c8fe94e359
SSDEEP

12288:mVOxAEdcSBiGeMnYX9l4CVtLD+pFrNfMay9r5BZN:mUiEdcoHWX9l4CVtP+Drm15N

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kennynanobelintourismedleonline.dumb1.com:7072

Mutex

6b1312cb-72d0-4da8-8182-e917f5887e6c

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-09-30T11:54:33.233317936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7072
default_group
Mr Smart
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6b1312cb-72d0-4da8-8182-e917f5887e6c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kennynanobelintourismedleonline.dumb1.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  5aad4e2ad582c6fe27f4f7d2a9c526115cf40f9227385cb9e2c5d160c85bf11b.exe
- Size
  
  584KB
- MD5
  
  051ce434ea8ea139cb3fc0cd61b21a99
- SHA1
  
  0ebb963dc8226ff95f26b90ae148fd02154ef39b
- SHA256
  
  5aad4e2ad582c6fe27f4f7d2a9c526115cf40f9227385cb9e2c5d160c85bf11b
- SHA512
  
  5566eab44fd5d2dac278d06015503c709e8f5154fe0b7a9d60ec47d75061ebfdd388005d771bf33a8bcf67f5d014076887832fd081045815118bf952e9b95ac0
- SSDEEP
  
  12288:ij34VVCbFKQNt4qQwhZ43CA2TxixwYl06HHbWJQSE88pvtmcSfWl:i8HW/eCrTAwYl06H7l391B
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  ufyabb.exe
- Size
  
  526KB
- MD5
  
  101a2de82607b0f99ef5d4a810896c9b
- SHA1
  
  34c52d9c349da842c27e76afb716227857a57cdb
- SHA256
  
  d3aa0b25ae8642adba83223811333cada5ffeaad584b7391b03e0f7fb28d864f
- SHA512
  
  2a62c1c7a319437f94f5f913f27a55a1274284eccdec5effa4689f9630ab64359c751375c8bac3d1af952bf2232a7230fa7044c6d1d588cc4f37c474117ee278
- SSDEEP
  
  12288:6u6VOlbAbXXlMAXyD54HOU36Xkno+A48vEgnVw7xMuJYjZXU7CSU:6u6VOlbAbXXlMGqkE+8vEwg6Zr
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral3 behavioral4