Overview

overview

10

Static

static

3

8685ccda6e...3N.exe

windows7-x64

10

8685ccda6e...3N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

  • Size

    524KB

  • Sample

    250323-g7sapawl15

  • MD5

    c57570dcacafd7fefa561d7f5e9c6210

  • SHA1

    a2bd17084085a4b46c0cd2712960a3f82892db52

  • SHA256

    8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733

  • SHA512

    20e02a231249fca0a9ec5b0f9900c38b6586e8915645b29b2ac973b27606fc3a285521a2195d13e7ccd86d067aecd368b9ef13984aff204814094a62cdd0dc0a

  • SSDEEP

    12288:bhxp3lZnT9bDkCl3PX0jMCmvpKxZ86rDitP:bJlh9bDkClMjlmvpNgDiB

Score
10/10
nanocoredefense_evasiondiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ichbin1337.ddns.net:9033

ichbincool.ddns.net:9033
Mutex

ffcb8fdb-4a29-46cd-a06a-580aecd4cd74

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    ichbincool.ddns.net

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2016-07-15T19:36:40.912595336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9033

  • default_group

    Game Slaves

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ffcb8fdb-4a29-46cd-a06a-580aecd4cd74

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    ichbin1337.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733N.exe

    • Size

      524KB

    • MD5

      c57570dcacafd7fefa561d7f5e9c6210

    • SHA1

      a2bd17084085a4b46c0cd2712960a3f82892db52

    • SHA256

      8685ccda6ee6e4efcb14a32552080b952d461f8a8baaae241ec994b44b837733

    • SHA512

      20e02a231249fca0a9ec5b0f9900c38b6586e8915645b29b2ac973b27606fc3a285521a2195d13e7ccd86d067aecd368b9ef13984aff204814094a62cdd0dc0a

    • SSDEEP

      12288:bhxp3lZnT9bDkCl3PX0jMCmvpKxZ86rDitP:bJlh9bDkClMjlmvpNgDiB

    Score
    10/10
    nanocoredefense_evasiondiscoveryexecutionkeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Nanocore family

      nanocore

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks