nanocore

Sharing

Copy URL

Twitter E-mail

General

Target

Imminent.Monitor.4.1RATCompleteSetup.rar
Size

11.7MB
Sample

241202-skdpkavlbk
MD5

82e330c2b3f20a2de6f2f4a2b64c29b7
SHA1

4653a261fdac0ef104b1a7d9dfb93e25e594159a
SHA256

83f236697e7b0dfcee1ce446703941574e7c292fea304afdb3613d7c5141f17d
SHA512

73372322364aee628fc4089950602a8b3ed5b749f7739df2727df8867a145fb75608b95f98e7a740111de5da37455bcf9f476b8f89a490a4750cf4a7d03167a5
SSDEEP

196608:JXkCEHUrw55FD7Rkadk0iZE4t8jP12sJhEmXHk3g27CwEVDg72jzA3VVkims:aCE2yP7RkadkO4t8TktHvCb7jzcVVkif

Score

10^/10

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

haxorbaba.duckdns.org:1604

Mutex

68d0d384-24c7-4c4a-b00a-25fe172797c1

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2016-05-25T14:42:31.650976636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
3994
connection_port
1604
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
68d0d384-24c7-4c4a-b00a-25fe172797c1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
haxorbaba.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Imminent.Monitor.4.1 RAT Complete Setup By Shozab Haxor/Imminent.Monitor.4.1/How To Open Port All Tutorial.url
- Size
  
  96B
- MD5
  
  e6e103fb45cbe55836826bc3410efcc0
- SHA1
  
  ff589e9f655d3368571562711b954f301615d457
- SHA256
  
  99e7a2772fa7b583be865188c49e15d8294569d820bb29be95cee538a6a5f494
- SHA512
  
  d41fa5eb682f9c2a1eddcac0a79cdda9f7228b9080c843ce5e7aa1ef027f8c773733faa471e44ca76a37e405d5488c29f34e1785f149115bd65f01fb3b52acb7
Score

1^/10
behavioral1 behavioral2
- Target
  
  Imminent.Monitor.4.1 RAT Complete Setup By Shozab Haxor/Imminent.Monitor.4.1/How To Setup a Rat.url
- Size
  
  96B
- MD5
  
  8d61646db59cc7460b40bc79001a40a1
- SHA1
  
  e43cdfb3d27a0cb4b4532053c27810abf06d415e
- SHA256
  
  c5d1bc7427609e082195ad8db57c9b35b274e3df63a92d78917334425730d1e7
- SHA512
  
  9eef7dcaa96a52d52caff6b9709f8377437ff201e976761eec8c35669f946ef111d7da9528c8f253f469969513e4ec5e6a5d0b861665254a6564f8c2d85d9f99
Score

1^/10
behavioral3 behavioral4
- Target
  
  Imminent.Monitor.4.1 RAT Complete Setup By Shozab Haxor/Imminent.Monitor.4.1/Setup.exe
- Size
  
  11.7MB
- MD5
  
  c13eaea9f5401998054cd90d3522732d
- SHA1
  
  5f227077d8b533892a7cba05ae6cbe112ce51d13
- SHA256
  
  0119abb16b47b36c9497b835ed305fa8344d2d7c8d663eb65ec522bfa2588ae9
- SHA512
  
  4c1d47ec5546879da086cc773d4338506da14392cb767f9c8a38968744016ed8bf4f5a81653c0ffc639690871fc44a446877d75bf85585266e864b1b93301ca3
- SSDEEP
  
  196608:UXkCEHUrw55FD7Rkadk0iZE4t8jP12sJhEmXHk3g27CwEVDg72jzA3VVkimp:nCE2yP7RkadkO4t8TktHvCb7jzcVVkiG
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Chrome.exe
- Size
  
  822KB
- MD5
  
  dfe9a9f1b8384990ac9b8f44c9305a9b
- SHA1
  
  2e1d01fe1920197aa484b98deba38d32c9cdcac0
- SHA256
  
  9bd6b2b7a07de015273594db5e1702fc25f7ef32c7e53db44845d0a6f3296ac5
- SHA512
  
  3d46375ae06808ba1ad3fd1c4796ca2da753f99fb02dca879b1c56c9e07cd950a684c6629551fa9d6cfbc86b619f6de2a4d97b5547397addf41f3ff8f7228e11
- SSDEEP
  
  12288:1X81XL3K8KysjJS+yeHMm9jA1Qcp8ujw6kVNZDXxVs4iP9ZoFD5Li46G:E+GesuiUNNkIFgpG
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  Setup.exe
- Size
  
  11.5MB
- MD5
  
  6f529ca081fcbf4ee4b4631cc78be3d8
- SHA1
  
  de367aab8e3bebc6fdf7041657cf82ce7704d768
- SHA256
  
  124bd27a25853170760901c7269e3f0e4577f047810d28f4606fa75deee0f884
- SHA512
  
  1b011d422e222f4fc5ccec1c95a1633de1c23acde18fe0a701bf2df522cdd11323fe8d62eb97e914365f0ee6f2abb8960c78456d8533903a82085061340f8ba1
- SSDEEP
  
  196608:itAYiUfIyTlA59mtyy2FzvhSQcE+2R9571sGZB+NyKSb27WoGTD/ySpy2qTO6etR:xUf3iXm8y2Fzvhj+2R/5ZdGWRTDhqTxw
Score

6^/10

discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral10 behavioral9