nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

3b4ee472d9c872ba1d96b7a676e809ba.bin
Size

507KB
Sample

241027-bgvp8ssemr
MD5

afa42895dae20d3ac09f8feff0b8bf92
SHA1

d7958a4642459abf78f5231a9a32660add5bf60a
SHA256

dd6f996045b081a9ef5e93ed779ca05b2e84e7a96e4c93859e1d79c878713689
SHA512

818813cebd45485da13118a368340359a14a52d0f9b59ae08e0d87fc8eb56916667442efe29193aac9b472c1297de94e3ebaf16d8274a9e1ea28822aedc31ea5
SSDEEP

12288:qVV+czkRJ2RHa99rJKv3nOd61QMoaytvC+nmZnwCHkF/mfOvpF3aJpZpkYm:qVVrIRwRHa38/BQMVytvN/CHv4ptGfm

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

josh289232.duckdns.org:1608

Mutex

eb61e2ce-2d81-45ac-8d80-3083f0def8b6

Attributes

activate_away_mode
false
backup_connection_host
backup_dns_server
1.0.0.1
buffer_size
65538
build_time
2024-08-01T21:58:30.513071036Z
bypass_user_account_control
true
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1608
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
29985
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
eb61e2ce-2d81-45ac-8d80-3083f0def8b6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
josh289232.duckdns.org
primary_dns_server
1.1.1.1
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8006

Targets

- Target
  
  a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164.exe
- Size
  
  553KB
- MD5
  
  3b4ee472d9c872ba1d96b7a676e809ba
- SHA1
  
  33186a216fe8a37a993f42477b8f813a56ba5f09
- SHA256
  
  a317bcadef76feec57223d92244a322eb4409990808a7bab96cc929fbc4a7164
- SHA512
  
  22d93c0656d9ebb8f0e33497e2d02ecf8a9f160fff07620f0dfbd022b8449b99ae3d5dccb3d2f65f555d99415489bfcc4856eba3d87c2158c68c3922216e4985
- SSDEEP
  
  12288:iLV6BtpmkjDwb1bL/mZyysVSX/GFFcEvz20Q3CE+A2whXXAo2RB:AApfy16yDSOzFvz20A7lXqB
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Nanocore family

Unexpected DNS network traffic destination

Adds Run key to start application

Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2