nanocore | 26f45dc6e383ee31df6aabe8a5b4ecc625b76631f2a377803622a2990f3a8408 | Triage

Sharing

General

Target

DHL SHIPMENT DETAILS.exe
Size

329KB
Sample

200630-4hhkp8lvxs
MD5

aea6a74f303ac1db67b93b18dc7427b0
SHA1

4fe9e34f85efefee8ba56a73ddb450bec6cd088d
SHA256

26f45dc6e383ee31df6aabe8a5b4ecc625b76631f2a377803622a2990f3a8408
SHA512

d9dd598cc3f60be1c0a51cadc9c4f027841f87087ed724ae7c2c6d84c30e851ef0f817f7720717f286ded47a9f980e937cf9c81e098a76f5d27932089de82884

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ashebi.ddns.net:5050

185.140.53.10:5050

Mutex

b62e8cc6-adaa-4794-b4c7-4d04ef6cbd3b

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.10
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-30T07:20:12.975094236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5050
default_group
DON
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b62e8cc6-adaa-4794-b4c7-4d04ef6cbd3b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ashebi.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5012
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  DHL SHIPMENT DETAILS.exe
- Size
  
  329KB
- MD5
  
  aea6a74f303ac1db67b93b18dc7427b0
- SHA1
  
  4fe9e34f85efefee8ba56a73ddb450bec6cd088d
- SHA256
  
  26f45dc6e383ee31df6aabe8a5b4ecc625b76631f2a377803622a2990f3a8408
- SHA512
  
  d9dd598cc3f60be1c0a51cadc9c4f027841f87087ed724ae7c2c6d84c30e851ef0f817f7720717f286ded47a9f980e937cf9c81e098a76f5d27932089de82884
Score

10^/10

evasion trojan keylogger stealer spyware nanocore persistence
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Adds Run entry to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

evasiontrojankeyloggerstealerspywarenanocorepersistence

behavioral2

evasiontrojankeyloggerstealerspywarenanocorepersistence