nanocore | 21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64 | Triage

Sharing

General

Target

A653D1951B3DE7E0EDE77758187763B0.exe
Size

3.0MB
Sample

250325-ec2vjaz1dt
MD5

a653d1951b3de7e0ede77758187763b0
SHA1

06df3427aa544488543152111f5c5cfc52d41463
SHA256

21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64
SHA512

c8e5bc1284b3349cd81bb8edb85ebd5bb01fe08eb51aad53992a22a045ffae58ea4d7649f60559c9c5adaf71a7bcef4db3359bd54ae8157d9c0f0b9f2b0130ca
SSDEEP

49152:yKcYOh1T3CVOnr9zBVPgxyJbV4cPodKiUIQ+WSqwEQU:yxfrzCVOh9tQcPotU7

Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ksmj.ddns.net:1337

Mutex

b73dccc0-ae28-411e-8f12-dcb30e5628a2

Attributes

activate_away_mode
true
backup_connection_host
ksmj.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-12-21T21:11:28.928783136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1337
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b73dccc0-ae28-411e-8f12-dcb30e5628a2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ksmj.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  A653D1951B3DE7E0EDE77758187763B0.exe
- Size
  
  3.0MB
- MD5
  
  a653d1951b3de7e0ede77758187763b0
- SHA1
  
  06df3427aa544488543152111f5c5cfc52d41463
- SHA256
  
  21f3851df5c3487b850c88275818072eb000857423f72608b0708b53bb3bbf64
- SHA512
  
  c8e5bc1284b3349cd81bb8edb85ebd5bb01fe08eb51aad53992a22a045ffae58ea4d7649f60559c9c5adaf71a7bcef4db3359bd54ae8157d9c0f0b9f2b0130ca
- SSDEEP
  
  49152:yKcYOh1T3CVOnr9zBVPgxyJbV4cPodKiUIQ+WSqwEQU:yxfrzCVOh9tQcPotU7
Score

10^/10

nanocore defense_evasion discovery keylogger spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  defense_evasion trojan
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan

behavioral2

nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan