nanocore | 2378091915eb66b1129dd49b41bf71b66983136a629fe5d8f4602120041ecf10 | Triage

Sharing

General

Target

XtasyExecutor.exe
Size

203KB
Sample

241217-vklfhstrbj
MD5

ad66fa62ecf3176d68c0d2f5893418da
SHA1

944507be4ebf28f41d641626ac1497aadc3e0a2f
SHA256

2378091915eb66b1129dd49b41bf71b66983136a629fe5d8f4602120041ecf10
SHA512

d1905e0dc6421bcd81e05dcea9d7a0b6fb23fe457f11972667c8c2bd59d593302bcdc74bc09f49b60af512e5602b050dfe11cc98e18c20e27b4fdb3b170ec7de
SSDEEP

3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIqcIx3O8QjioFn2EryTRJahUB8:gLV6Bta6dtJmakIM5ELiCcdByU0

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

science-attract.gl.at.ply.gg:13548

127.0.0.1:13548

Mutex

4f599da9-6883-4b9c-a525-35ea19fc6900

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-28T18:38:03.923767736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
13548
default_group
Ranso
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
true
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4f599da9-6883-4b9c-a525-35ea19fc6900
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
science-attract.gl.at.ply.gg
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
4976
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  XtasyExecutor.exe
- Size
  
  203KB
- MD5
  
  ad66fa62ecf3176d68c0d2f5893418da
- SHA1
  
  944507be4ebf28f41d641626ac1497aadc3e0a2f
- SHA256
  
  2378091915eb66b1129dd49b41bf71b66983136a629fe5d8f4602120041ecf10
- SHA512
  
  d1905e0dc6421bcd81e05dcea9d7a0b6fb23fe457f11972667c8c2bd59d593302bcdc74bc09f49b60af512e5602b050dfe11cc98e18c20e27b4fdb3b170ec7de
- SSDEEP
  
  3072:gzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIqcIx3O8QjioFn2EryTRJahUB8:gLV6Bta6dtJmakIM5ELiCcdByU0
Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

behavioral2

nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan