Overview

overview

10

Static

static

10

NanoCore-m...in.dll

windows10-2004-x64

1

NanoCore-m...ib.dll

windows10-2004-x64

1

NanoCore-m...er.exe

windows10-2004-x64

1

NanoCore-m...re.exe

windows10-2004-x64

10

NanoCore-m...in.dll

windows10-2004-x64

1

NanoCore-m...te.dll

windows10-2004-x64

1

NanoCore-m...nt.exe

windows10-2004-x64

7

NanoCore-m...op.dll

windows10-2004-x64

1

NanoCore-m...op.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    NanoCore-master.zip

  • Size

    3.0MB

  • Sample

    250206-jvlcqaylbw

  • MD5

    4f1255d0e897c466f337d9707a55c218

  • SHA1

    69bbae2a275f5cf245f7537d7d62e0f941428f13

  • SHA256

    110c0ac80f4d6a7e73183cf5a98f83440943afe69abca9a572ca4a4e54de7d13

  • SHA512

    0bd0f4d536d215e5d73a1791399e91a0bc18182488df3e87ff29b66b9d6232b06b766582cb5e66723d7ddcd7b2593fc25eaddfa0aadbdd02d2a23ec4c366729b

  • SSDEEP

    98304:L8h9rAkOnVMgqSoj6sgZWAXgwgJR3Gt8eG4HYiGwZ:L8heJuj6T87R3w8eG4owZ

Score
10/10
darkcometnanocoreidmandefense_evasiondiscoverypersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

IDMAN

C2

arrivals.ddns.net:2323

Mutex

DC_MUTEX-391X2ZJ

Attributes
  • InstallPath

    MSDCSC\IDMAN.exe

  • gencode

    CUWbhGwmWBMb

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    IDMAN

Targets

    • Target

      NanoCore-master/sample/ClientPlugin.dll

    • Size

      21KB

    • MD5

      76e5644095c157a93891a664c33b085a

    • SHA1

      16a09ce01e7fcc166bb5789a43e2e4573c80ed90

    • SHA256

      28aa78d701b161735c1da30e79076dcebe22eb3ec71215b7ab829cd1e2e38adc

    • SHA512

      f593ca82bb547f599c75b600bfa1c36702eb23bf2eaa3dfed6f13ec07d79c60852a550696b55fc68855821db6db9f8e273e8206b8020fb8f7ed83328e6716c39

    • SSDEEP

      192:GLCmfMVf2kwrPVBnlYJL/ejZuNIiLTg5KR82SOs:GL10fIjUqjZObLTtRF

    Score
    1/10
    behavioral1

    • Target

      NanoCore-master/sample/Interop.NATUPNPLib.dll

    • Size

      7KB

    • MD5

      e4f5acee4d8e4f3cd6df4841d376ade0

    • SHA1

      122490a1b2332d81e22de3527ab9d4a8ea5244a6

    • SHA256

      181f36b1e5493821508124a09d7fb75461ca51f46309ba7fbd13a1e09b361198

    • SHA512

      ad08cc5ca4984439962be9d587308b3145fa9c0f83279989639cbd93403136d9fde8d49b94dd718a42a7ec3502fa163e8ba18c6217de5a8b062054bab49796df

    • SSDEEP

      96:RFinj09TiY5IxaUsyKY05YgZsXFhcQkE8g8nIxqG0tVClW:7GEJIrKrYgZsvwVIiX

    Score
    1/10
    behavioral2

    • Target

      NanoCore-master/sample/NanoCore Plugin Compiler.exe

    • Size

      65KB

    • MD5

      40357824e010a9d60b303a6f853a3b77

    • SHA1

      febfc0e76a3df85992314b28ea2850f1c4a0f5e9

    • SHA256

      2208fb5b786fa319f0df50915e3b4b4153df47217953cf4b506ff5bd97f51034

    • SHA512

      69778a6bf7159d7f318a6a972d4c9ece4d54329ce1ae371bcc7b4f1bc4b3e7b6b597431d50660aa189487237caf1faed8cfeecd323efe0bb31a25d6d3042f4e1

    • SSDEEP

      768:3k2gUVMhZwDdgYgj+0x8zl6slof+Mq69EwXArbcEzbCumafN9aVqtgdv1:3DuZygWL5l2+MRquArbXDXfN9aVqg1

    Score
    1/10
    behavioral3

    • Target

      NanoCore-master/sample/NanoCore.exe

    • Size

      1.1MB

    • MD5

      e4aeb7b31d677a5a9a58a4762fab1321

    • SHA1

      a5e7279b6d59236296031ff87976e33fbd8cf34d

    • SHA256

      1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915

    • SHA512

      964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa

    • SSDEEP

      24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb

    Score
    10/10
    darkcometidmandefense_evasiondiscoverypersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      defense_evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral4

    • Target

      NanoCore-master/sample/ServerPlugin.dll

    • Size

      25KB

    • MD5

      2b6e16f331b1977fd226acca6bae4eb5

    • SHA1

      adf75d559c396ab4afde9ca1b836f68f2a5aaa33

    • SHA256

      7df18983ea711f35ca14531418ce6af859fb709bcde864921d23663b1cac018b

    • SHA512

      794f45f0db391caa8d927ae01c75b07f59f16946d44cd70f26b60e0d5fc8b0d974a3e14a3b05d0c0f4e0c53125867d0efd72f1c95ec3f25b41fbda1826909122

    • SSDEEP

      192:7LDfpnT8Q0k04MgikqXV4nlYJL/erNIbj9uuNfaLTGL+1khVTXUI:7LDfpT8jbIAbqh2j9jFaLTXmvXU

    Score
    1/10
    behavioral5

    • Target

      NanoCore-master/sample/System.Data.SQLite.dll

    • Size

      256KB

    • MD5

      dd3d6f00b1aba3f1d9338d9727ab5f17

    • SHA1

      faf9364a7ab15f27c93a6e6f97fa025030c9dad7

    • SHA256

      f0d4beab24e94e61f219df451d90dbba3d0f48539f9b6a448f91e0c94b4e80c4

    • SHA512

      0794d850a133a98affe627e3023114b229b982e507d366895ece6a1ef99b42d708554c64b52f0f2ed63673e1c5aeea7e794085d45f0797159e21ba4efdf23cd7

    • SSDEEP

      6144:icvnEsATddHqgM69uZ5iFNFGFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchF1:icvnEygM69uZ8FNFGFOFwcGF6cmFWc0z

    Score
    1/10
    behavioral6

    • Target

      NanoCore-master/sample/client.bin

    • Size

      87KB

    • MD5

      e7dde6ff81df20066d7c57bb32d45193

    • SHA1

      f4494f962a6241715f1d313fee37203b6607e42b

    • SHA256

      f63d7fecabfd501643a12ff3988f2809a1573009a452510e286a91554d49599d

    • SHA512

      da3ec487122b70a062dd7ffc792fc4d7cb223775a7e09ca9664bc259097d53ad93678cfeec32d554783f37f9d23a299a0e75ee7e9951abf9d4da8d55e58eb527

    • SSDEEP

      1536:EtPtlChZHNnK1MJTmvuzazpZl4hTPnmOIP+LNPSP2avOauA:Edtl8NnwMJTm/9kTPnmOg+LNQ2aJuA

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral7

    • Target

      NanoCore-master/sample/x64/SQLite.Interop.dll

    • Size

      1.3MB

    • MD5

      382398711315e2fa8e93d305b4873908

    • SHA1

      51482242e6d9170963aa27192c8279d20fce19ce

    • SHA256

      270d61d183cff3dafad0db3dbe7942374552044baea1e28411c3a143cb620c02

    • SHA512

      084217e67c125cb9952b91bc9783faf5c1e8fb01750cc1e6b4c3736c47b74dcf3207979c1c497e630e161aff529f71c403af6ca0232a7c3e9e587b58e4495589

    • SSDEEP

      24576:fG4Gnwh2IK88uyMGI1YSbmdtDxnrW1oC0AZDvDetNQT7f+5eKMUxThC35:ewh2IKAYjtNme5eeG

    Score
    1/10
    behavioral8

    • Target

      NanoCore-master/sample/x86/SQLite.Interop.dll

    • Size

      792KB

    • MD5

      9b19dcee960dc215e64b1d82348707a9

    • SHA1

      9c1e0f76673eb385787120e17404df179316ca2b

    • SHA256

      3515f704b0012c01fc8be5b717905c0587b29255fc9eb7ad3f2b66a130691d38

    • SHA512

      cc1304ab171feb2ac6df941f4b35aab8ce7b503f96b5539b366b39268cce8b21ea2fdbce16eff809a9a121a60a65ebbd0f59f75360800f541b9e5f93e729a55d

    • SSDEEP

      12288:iIF0SBEkDG7/jznRefvOIVcn4PW5d6PrVJNcdwLzs9w:iIYkDG7rznRenOIVc4PW76TbK

    Score
    3/10
    discovery
    behavioral9

MITRE ATT&CK Enterprise v15

Tasks