nanocore | 3788dc98b496b8eca5bec9fe73397cb6eb6bacadae5637c8e3d3009a98afe203 | Triage

Sharing

General

Target

52a309b059e9c2dccd75d272971e7ea0_NeikiAnalytics.exe
Size

688KB
Sample

240529-n7wfnsdf2v
MD5

52a309b059e9c2dccd75d272971e7ea0
SHA1

28bbd88c2bb4670ba0d90c274954c40018dcfc74
SHA256

3788dc98b496b8eca5bec9fe73397cb6eb6bacadae5637c8e3d3009a98afe203
SHA512

ccf237f37d0e54a4cb860a78910cf6f33cfe590a13e945b5c6c1ee91d25bfc023611f39c5ee1e9a7533dbadf717d4bc0990029b2671d12a82122e7ed3e7f28b4
SSDEEP

12288:910pei36RLzmmwtcb2GQ8E5qrln7RJiHw3lm+gKR+shQ2L8BiV6id:96pp36V6HorQ0lmHh9K4s62LyiV6id

Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

staywicked99.ddns.net:63882

127.0.0.1:63882

Mutex

344b2f5a-4a49-455c-8a61-465a5df696b3

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2024-02-23T18:24:33.192101836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
63882
default_group
ash
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
344b2f5a-4a49-455c-8a61-465a5df696b3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
staywicked99.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  52a309b059e9c2dccd75d272971e7ea0_NeikiAnalytics.exe
- Size
  
  688KB
- MD5
  
  52a309b059e9c2dccd75d272971e7ea0
- SHA1
  
  28bbd88c2bb4670ba0d90c274954c40018dcfc74
- SHA256
  
  3788dc98b496b8eca5bec9fe73397cb6eb6bacadae5637c8e3d3009a98afe203
- SHA512
  
  ccf237f37d0e54a4cb860a78910cf6f33cfe590a13e945b5c6c1ee91d25bfc023611f39c5ee1e9a7533dbadf717d4bc0990029b2671d12a82122e7ed3e7f28b4
- SSDEEP
  
  12288:910pei36RLzmmwtcb2GQ8E5qrln7RJiHw3lm+gKR+shQ2L8BiV6id:96pp36V6HorQ0lmHh9K4s62LyiV6id
Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocoreevasionexecutionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocoreevasionexecutionkeyloggerpersistencespywarestealertrojan