nanocore

General

Target

advbattoexeconverter.exe
Size

804KB
Sample

240417-wj98xsaf8y
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rdpdoc.ddns.net:4050

Mutex

71c6e4ed-2e4f-4d94-90e5-57b1a3a57fa1

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-03T22:20:29.991117836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4050
default_group
china
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
71c6e4ed-2e4f-4d94-90e5-57b1a3a57fa1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rdpdoc.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  advbattoexeconverter.exe
- Size
  
  804KB
- MD5
  
  83bb1b476c7143552853a2cf983c1142
- SHA1
  
  8ff8ed5c533d70a7d933ec45264dd700145acd8c
- SHA256
  
  af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
- SHA512
  
  6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
- SSDEEP
  
  24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r
Score

10^/10

nanocore netwire warzonerat botnet cryptone evasion infostealer keylogger macro macro_on_action packer rat spyware stealer trojan upx xlm
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Warzone RAT payload
  rat
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1