nanocore | 785a0ef948a03ad85db1d57fb20d2f45de28327fb3495dd123daeac057b51982 | Triage

Sharing

General

Target

xcy.exe
Size

325KB
Sample

240805-wdw44sxbrh
MD5

dca7acf1bb4a1a0d836d749921b7b265
SHA1

fc6f60fc98377d8901fa9a35d4457c8f4dfb152a
SHA256

785a0ef948a03ad85db1d57fb20d2f45de28327fb3495dd123daeac057b51982
SHA512

945ff619d69e3a508e9ba7a4d77ecbbed34e906c9222852e2afd479234b3150c81f084a7cd42b081c52edf6e09e7871f9dc52face1bfad32317bbd3442d8efa6
SSDEEP

6144:WLV6Bta6dtJmakIM5DXINTT8LgAFAl7R9urSxxV2Pvj3Y+w5A6:WLV6BtpmkbT2GRn2PvTk

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

axodnsfasters.duckdns.org:54984

axolotelgamar30.duckdns.org:54984

Mutex

1cea877e-8cb0-4bc6-a0c0-6d6bb43791cf

Attributes

activate_away_mode
true
backup_connection_host
axolotelgamar30.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-04T13:58:09.640880336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1cea877e-8cb0-4bc6-a0c0-6d6bb43791cf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
axodnsfasters.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  xcy.exe
- Size
  
  325KB
- MD5
  
  dca7acf1bb4a1a0d836d749921b7b265
- SHA1
  
  fc6f60fc98377d8901fa9a35d4457c8f4dfb152a
- SHA256
  
  785a0ef948a03ad85db1d57fb20d2f45de28327fb3495dd123daeac057b51982
- SHA512
  
  945ff619d69e3a508e9ba7a4d77ecbbed34e906c9222852e2afd479234b3150c81f084a7cd42b081c52edf6e09e7871f9dc52face1bfad32317bbd3442d8efa6
- SSDEEP
  
  6144:WLV6Bta6dtJmakIM5DXINTT8LgAFAl7R9urSxxV2Pvj3Y+w5A6:WLV6BtpmkbT2GRn2PvTk
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan