nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

176d4937c923da9c203272c8c63f31c4_JaffaCakes118
Size

1.1MB
Sample

240728-txj8jssdnk
MD5

176d4937c923da9c203272c8c63f31c4
SHA1

fd5b5daefb8aba44ef3e1e956648d6b8c169b95f
SHA256

da201ffc0d2161af67b002baae479ebd1611711dc776bb22cdf5d158492a725c
SHA512

c9dd92dfd727a51f4f702d33fb98e7c4b51d72d5601e3211d33b4c4aa712c7e3797c096b0d5b3a7ea88de58edbbd41caca1e2ee6028eea28f7bfe18579d1d650
SSDEEP

24576:5CcoJRcEGSFMZx+oZHjA5NzV7hoHTjI0lcB7LuCveAPRRMni9:5doJRclSFMLrHEzV7SzjeP3PzMnS

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

91.193.75.137:1985

127.0.0.1:1985

Mutex

19426eaa-6a92-4000-9b7d-c230931787b5

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-12-17T16:31:46.099763536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
RABBIT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
19426eaa-6a92-4000-9b7d-c230931787b5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
91.193.75.137
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  COVID-19 VACCINE.exe
- Size
  
  1.6MB
- MD5
  
  1dd2a20c6bf6ec3293a65c07c40877ec
- SHA1
  
  1ea52e76298dcda0d16edd6e4911e88f27fc6c9f
- SHA256
  
  64f61dd41ec3a411e647f6371b8500666db3c96cc57a8cb0c16d47cceaf12aa9
- SHA512
  
  bd6ae34222ca5d16afd3b3aa67073af5667fbe17794b724e2c3b61ff808e8c3a5fa78ca7147e717c0fa5f095c43ed4a1661ea17def9cd9d2e5473feb8590169d
- SSDEEP
  
  24576:mCdxte/80jYLT3U1jfsWavxc1ztEmbyL+Ai0fCyVexTjDsA5hcw/jMhpyWxh2tQ:Pw80cTsjkWavSVWPbi0tEAszj0pyIx
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Drops startup file
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2