nanocore

General

Target

JaffaCakes118_f70d508424598e71e6fe5eb5bb67b24b103b6367b3e55f550f53ea313f5bc30a
Size

1.8MB
Sample

241227-a9wybsxkel
MD5

4a54610f0b221bd4d6969171cfbe3b20
SHA1

d832b0e15a91a75fc32b8172e11bad2b8c0441fe
SHA256

f70d508424598e71e6fe5eb5bb67b24b103b6367b3e55f550f53ea313f5bc30a
SHA512

ed180a2abc5a85ccfcfa456d3e7037c67f3c675e4875f78b91261c618aaf365f0e70916185fecb15b9b8f650d80e2219095b6c1f9ddd11cb490cd798eeb3f60d
SSDEEP

49152:ExGLl0hl6u4uJUNDFuGM8SGp/LeTxenTuR7dkjMZ:up6ru4ZuD895etssfZ

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

rambolastblood.ddns.net:6327

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
vlc.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
vlc-63SQWS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
vlc
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

nanocore

Version

1.2.2.0

C2

nomansland.ddns.net:6122

Mutex

57ed101c-9ee2-41fa-87c0-8c37db84ae48

Attributes

activate_away_mode
true
backup_connection_host
nomansland.ddns.net
backup_dns_server
84.200.70.40
buffer_size
65535
build_time
2021-10-28T20:30:32.778373036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6122
default_group
Fula
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
57ed101c-9ee2-41fa-87c0-8c37db84ae48
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
84.200.69.80
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  CONTRACT PDF.exe
- Size
  
  1.3MB
- MD5
  
  aea6e429dd8151e74d29dfb36a13f55f
- SHA1
  
  01d7b201aa1e353696538b85b4a034dcf4b5ab7f
- SHA256
  
  17c9fb1651af031a1e7cba7f36b7de364695ee974cfaf784b3d63346b9dc34f4
- SHA512
  
  ee332daf7a6861b5d6edd29bd16f59c2b0337a8cc611892df2df025ac8120884d95d802c9eb0bf394f21944b2679e53d5b3edd17688badb56169e12ae1ff12f0
- SSDEEP
  
  24576:AH+rre+7KSXkLs5SbzuUDY/RvaIjiuTVKTCkszir:Z/h7K4SdzBDaJaIjiqQs
Score

10^/10

remcos remotehost discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  INVOICE 3 PDF.exe
- Size
  
  1.0MB
- MD5
  
  d87d7f6be88880706139d5e6f0c0f7f9
- SHA1
  
  87216afc35387e772ad0ae64345bbdefcac0a20d
- SHA256
  
  f5bcd2fd2900aa6fa196430500420438ebe1016aa58e5c8d4c68fdc1d37f48ad
- SHA512
  
  03e174545c164cba75309f92927fe01550f320baa34f841a816c2516baa107e1836e12877bd4cc953b81b46a355537ade0f5c0bf5cbb99ff392eafe852be70a1
- SSDEEP
  
  24576:pD4V6LzjOqCvxK6p7r+0ZgFcsc2vbMJ8w8H:p0VDnvxnp3+0Zg1Bwq
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4