nanocore | 625029d9538bf314855ef00bbca7d54a862a818785405df775f86a94e71328c7 | Triage

Sharing

General

Target

test.exe
Size

202KB
Sample

250206-khq8wazjfz
MD5

20b3e03d8cb9a863a0c4c149744ed52a
SHA1

5bd35c680f422f07d612e6c19a4ac6135afb970d
SHA256

625029d9538bf314855ef00bbca7d54a862a818785405df775f86a94e71328c7
SHA512

c32297f766c360790bb7347fa7e534c6d30473d37a7e4f1e1a67cc2a065c1b23385cd59ab7f921964e46a5bf54bf43138021f18132f234872a9adb3b22c01afd
SSDEEP

6144:gLV6Bta6dtJmakIM5w/FU9tAa5+EsWaEg46:gLV6BtpmkdU92icug46

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

108.231.94.28:10135

127.0.0.1:10135

Mutex

3bc38d82-5304-4d1c-b575-5caf80bc4386

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-11-18T10:17:19.783251536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
3993
connection_port
10135
default_group
Testing
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
29991
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3bc38d82-5304-4d1c-b575-5caf80bc4386
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
108.231.94.28
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  test.exe
- Size
  
  202KB
- MD5
  
  20b3e03d8cb9a863a0c4c149744ed52a
- SHA1
  
  5bd35c680f422f07d612e6c19a4ac6135afb970d
- SHA256
  
  625029d9538bf314855ef00bbca7d54a862a818785405df775f86a94e71328c7
- SHA512
  
  c32297f766c360790bb7347fa7e534c6d30473d37a7e4f1e1a67cc2a065c1b23385cd59ab7f921964e46a5bf54bf43138021f18132f234872a9adb3b22c01afd
- SSDEEP
  
  6144:gLV6Bta6dtJmakIM5w/FU9tAa5+EsWaEg46:gLV6BtpmkdU92icug46
Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  defense_evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan