nanocore

General

Target

e28f241aecdb850910f2e2dea30dcbc23d31578ea3b7a74c9fa30460669f7c83.exe
Size

601KB
Sample

240612-cw3j3ayfpg
MD5

a22d0177e9d6943719508b77ed4ac91f
SHA1

a9fac95535d4ef69a6f7b0550ed6bba65f96dbc3
SHA256

e28f241aecdb850910f2e2dea30dcbc23d31578ea3b7a74c9fa30460669f7c83
SHA512

ce7de781add996902983ca70edb86219a947347dc3990da542cbbdd33a869b92a1ec537974f154230df82ab64ef3474a8d20c9167c2434ca9b1013c4522fb949
SSDEEP

12288:H+jJ7GB/lLTXVzTpmGlWK74RTeQUj5VJ1MwzMRs5ax7W:H+dKB/lnVHMGMK74VfUjXTMEMRCa8

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

staywicked99.ddns.net:63882

127.0.0.1:63882

Mutex

6f75db72-72d4-402c-b879-6fc19c6f2e39

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2024-03-05T14:12:07.229634536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
63882
default_group
FINGERS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6f75db72-72d4-402c-b879-6fc19c6f2e39
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
staywicked99.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  e28f241aecdb850910f2e2dea30dcbc23d31578ea3b7a74c9fa30460669f7c83.exe
- Size
  
  601KB
- MD5
  
  a22d0177e9d6943719508b77ed4ac91f
- SHA1
  
  a9fac95535d4ef69a6f7b0550ed6bba65f96dbc3
- SHA256
  
  e28f241aecdb850910f2e2dea30dcbc23d31578ea3b7a74c9fa30460669f7c83
- SHA512
  
  ce7de781add996902983ca70edb86219a947347dc3990da542cbbdd33a869b92a1ec537974f154230df82ab64ef3474a8d20c9167c2434ca9b1013c4522fb949
- SSDEEP
  
  12288:H+jJ7GB/lLTXVzTpmGlWK74RTeQUj5VJ1MwzMRs5ax7W:H+dKB/lnVHMGMK74VfUjXTMEMRCa8
Score

10^/10

nanocore evasion execution keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Detects executables packed with or use KoiVM
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2