2018-01-12 - MALSPAM PUSHING NANOCORE RAT

ASSOCIATED FILES:

  • 2018-01-12-NanoCore-RAT-traffic.pcap   (415,958 bytes)
  • 2018-01-11-malspam-pushing-NanoCore-RAT-0034-UTC.txt   (635,772 bytes)
  • TNT SHIPMENT INFORMATION.exe   (1,968,344 bytes)
  • TNT SHIPMENT INFORMATION.r14   (466,579 bytes)
  • filename.exe   (1,968,344 bytes)
  • filename.vbs   (1,016 bytes)

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Extracting the malware from the attached RAR archive.

 

TRAFFIC


Shown above:  Infection traffic in Wireshark.

 

INFECTION TRAFFIC:

 

MALWARE

RAR ARCHIVE FROM LINK IN THE EMAIL:

EXE FILE (NANOCORE RAT) EXTRACTED FROM THE RAR ARCHIVE:

NANOCORE RAT ARTIFACTS FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY ENTRY FOR PERSISTENCE:

 

IMAGES


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Registry key and associated files on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.