General
-
Target
NanoCore 1.2.2.0.7z
-
Size
162KB
-
Sample
240531-ng33tsff6s
-
MD5
63ba13bf2ddd20be9a1415b93339cc39
-
SHA1
ad759db50ef788cb6d8ff9fa7bae45908f7e70c8
-
SHA256
59c74f45889b604c8e02c25a4823d8e314b1b4046e90059e86cf37066dd812cd
-
SHA512
8352b10f54698d9eec1d8ec04265c709a83f94411fb8fb5a5e9510b84113bc846b0922a55dac972a95020357c4bdd0b26ecb462a4a6c182b14b2e1beec13e408
-
SSDEEP
3072:e9LyHmlMyebiCHNg4l83alfPfkzw92NaxcB0R2+Zn3WTtY+zxjL9uC3qwZ0y92wH:Rjoq62n9ddKM2vkm0aWyRv3G9qvZJT3T
Static task
static1
Behavioral task
behavioral1
Sample
NanoCore 1.2.2.0.7z
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
NanoCore 1.2.2.0.7z
Resource
win10v2004-20240508-en
Malware Config
Targets
-
-
Target
NanoCore 1.2.2.0.7z
-
Size
162KB
-
MD5
63ba13bf2ddd20be9a1415b93339cc39
-
SHA1
ad759db50ef788cb6d8ff9fa7bae45908f7e70c8
-
SHA256
59c74f45889b604c8e02c25a4823d8e314b1b4046e90059e86cf37066dd812cd
-
SHA512
8352b10f54698d9eec1d8ec04265c709a83f94411fb8fb5a5e9510b84113bc846b0922a55dac972a95020357c4bdd0b26ecb462a4a6c182b14b2e1beec13e408
-
SSDEEP
3072:e9LyHmlMyebiCHNg4l83alfPfkzw92NaxcB0R2+Zn3WTtY+zxjL9uC3qwZ0y92wH:Rjoq62n9ddKM2vkm0aWyRv3G9qvZJT3T
-
NirSoft MailPassView
Password recovery tool for various email clients
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Registers COM server for autorun
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Change Default File Association
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1