nanocore | 60de37f8965472ff0581e060db7950e8d198495538822fa5866c0e7ab8f787e5 | Triage

Sharing

General

Target

Ödeme kopyası.exe
Size

1.1MB
Sample

250404-ktb84atvcx
MD5

18305658cb2edb8a1a43275ff9d90f6f
SHA1

a604dd1cf459e051be9225b5e6ea172a4fc49092
SHA256

60de37f8965472ff0581e060db7950e8d198495538822fa5866c0e7ab8f787e5
SHA512

427a838c9ccb21afdd63d8d62ee72becdbd7ce4e4198fb380d08a4eee902a63bd62d3654569c54630506b11aa6571c505ef446b1bf0ef09855fe4ab3f5d07e6c
SSDEEP

24576:Au6J33O0c+JY5UZ+XC0kGso6FaaX7BJv68wgVvWY:qu0c++OCvkGs9FaaXb+LY

Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

82.115.223.158:28288

kiznet.ddns.net:28288

Mutex

1f2f55c9-0803-4663-b998-cc401ee7c28a

Attributes

activate_away_mode
true
backup_connection_host
kiznet.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2025-01-12T11:07:31.068513236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
28288
default_group
Ogwugwu
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1f2f55c9-0803-4663-b998-cc401ee7c28a
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
82.115.223.158
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  Ödeme kopyası.exe
- Size
  
  1.1MB
- MD5
  
  18305658cb2edb8a1a43275ff9d90f6f
- SHA1
  
  a604dd1cf459e051be9225b5e6ea172a4fc49092
- SHA256
  
  60de37f8965472ff0581e060db7950e8d198495538822fa5866c0e7ab8f787e5
- SHA512
  
  427a838c9ccb21afdd63d8d62ee72becdbd7ce4e4198fb380d08a4eee902a63bd62d3654569c54630506b11aa6571c505ef446b1bf0ef09855fe4ab3f5d07e6c
- SSDEEP
  
  24576:Au6J33O0c+JY5UZ+XC0kGso6FaaX7BJv68wgVvWY:qu0c++OCvkGs9FaaXb+LY
Score

10^/10

nanocore discovery keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

nanocorediscoverykeyloggerpersistencespywarestealertrojan