nanocore | 0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46 | Triage

Sharing

General

Target

Sigmanly_0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
Size

203KB
Sample

250204-k9g5aasla1
MD5

18b476d37244cb0b435d7b06912e9193
SHA1

9ccc7e5cc915e0ed3d1158328e56b50f4da694e2
SHA256

0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
SHA512

5011ffc0328a27befb4407a4634d87bc8459b7513eb8d42d267349f5c45dc35f53e8dad6bf53689531124d3d95cca5d646bfceb1693aafa3a766c3b3243c3eda
SSDEEP

6144:wLV6Bta6dtJmakIM5GHPDSL6YFj8qOCQE:wLV6BtpmklPbIj8qOC5

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

simpletest.ddns.net:9632

Mutex

cb982fc1-ab48-4ef3-9957-4df972fbdda2

Attributes

activate_away_mode
false
backup_connection_host
simpletest.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-01-22T18:38:59.323884736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9632
default_group
winscp
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cb982fc1-ab48-4ef3-9957-4df972fbdda2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
simpletest.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Sigmanly_0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
- Size
  
  203KB
- MD5
  
  18b476d37244cb0b435d7b06912e9193
- SHA1
  
  9ccc7e5cc915e0ed3d1158328e56b50f4da694e2
- SHA256
  
  0bbff62a45fc9776575ed143af2d7db332e2781d7e3de56eb3ff48c25d0c7b46
- SHA512
  
  5011ffc0328a27befb4407a4634d87bc8459b7513eb8d42d267349f5c45dc35f53e8dad6bf53689531124d3d95cca5d646bfceb1693aafa3a766c3b3243c3eda
- SSDEEP
  
  6144:wLV6Bta6dtJmakIM5GHPDSL6YFj8qOCQE:wLV6BtpmklPbIj8qOC5
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan

behavioral2

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan