nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

2D5B4052BA6E888D0A2E8B044BC04651.exe
Size

452KB
Sample

240731-t1cymsshmq
MD5

2d5b4052ba6e888d0a2e8b044bc04651
SHA1

7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
SHA256

c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
SHA512

2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed
SSDEEP

12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

6.tcp.eu.ngrok.io:13201

Mutex

3425541e-8f39-4854-8b6f-412dbeb4c734

Attributes

activate_away_mode
false
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-08T00:05:25.716690236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
13201
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3425541e-8f39-4854-8b6f-412dbeb4c734
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
6.tcp.eu.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  2D5B4052BA6E888D0A2E8B044BC04651.exe
- Size
  
  452KB
- MD5
  
  2d5b4052ba6e888d0a2e8b044bc04651
- SHA1
  
  7c23a7ea336ceb57d3c9d43b38b5d7e6b2265443
- SHA256
  
  c00ff750da6d963181a49a76e0ec0c39bd58fa6f8926227543c3d65246ac4a17
- SHA512
  
  2fa5f0a2dd0d0f13a258aa97a96195b4f63441a79a3d60edf96684ee3c09525e783ea4c28629982420121a6d23099099c76075559fb3d0a86f8e2aa8d91ab5ed
- SSDEEP
  
  12288:8LV6BtpmkAuJO+CCSswmAf9CoPhxLz5zACZZ0d:OApfA7+XVwDY0hxLz5sCn0d
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2