#nanocore_250419

1. #IOC #OptiData #VR #nanocore #RAT #RTF #OLE #XLS #VBA
2.  
3. https://pastebin.com/cSy68j5q
4.  
5. previous_contact:
6. 07/01/19 https://pastebin.com/e5f24Y8F
7.  
8. FAQ: https://krebsonsecurity.com/2018/02/bot-roundup-avalanche-kronos-nanocore/
9.  
10. attack_vector
11. --------------
12. email attach .doc (RTF) > OLE > 2 excel > macro_URLDownloadToFileA > GET 1 URL > .exe
13.  
14. email_headers
15. --------------
16. Received: from bitrecall.com (mail.bitrecall.com [94.177.166.132])
17. Received: from pec.it (unknown [184.164.139.195])
18. From: Accounts <asp.srls@pec.it>
19. To: user00@org88.victim0.com
20. Subject: Re: Invoice payment
21. Date: 25 Apr 2019 05:18:16 -0700
22.  
23. files
24. --------------
25. SHA-256 6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26
26. File name invoice and po.doc [Rich Text Format data, version 1, unknown character set]
27. File size 290.43 KB (297400 bytes)
28.  
29. two OLE from RTF:
30.  
31. SHA-256 0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500
32. File name invoice and po.doc_object_00002904.bin [Composite Document File V2 Document, Little Endian, Os: Windows]
33. File size 51 KB (52224 bytes)
34.  
35. SHA-256 17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961
36. File name invoice and po.doc_object_00021CCF.bin [Composite Document File V2 Document, Little Endian, Os: Windows]
37. File size 51 KB (52224 bytes)
38.  
39. payload:
40.  
41. SHA-256 56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb
42. File name stub[1].exe [PE32 executable (GUI) Intel 80386, for MS Windows]
43. File size 521.87 KB (534392 bytes)
44.  
45. activity
46. **************
47.  
48. PL_SRC 104.238.117.30 depedpasay{.} ph [ssl]
49.  
50. C2 91.192.100.11 [ssl]
51.  
52. netwrk
53. --------------
54. 104.238.117.30 depedpasay{.} ph Client Hello
55. 91.192.100.11 49188 → 7077 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
56.  
57. comp
58. --------------
59. EXCEL.EXE 220 TCP localhost 49185 104.238.117.30 443 ESTABLISHED
60. EXCEL.EXE 220 TCP localhost 49186 13.107.4.50 80 ESTABLISHED
61. stub[1].exe 224 TCP localhost 49188 91.192.100.11 7077 SYN_SENT
62.  
63. proc
64. --------------
65. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
66. ...
67. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
68. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" -Embedding
69. C:\tmp\stub[1].exe
70. "C:\Program Files (x86)\Microsoft Office\Office12\excelcnv.exe" -Embedding
71.  
72. persist
73. --------------
74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09.05.2019 12:46
75. ARP Service witneyer omnipotentiality
76. c:\users\operator\appdata\roaming\9907dcbd-0284-49da-87e9-3f380347acb7\arp service\arpsv.exe 02.11.1993 13:41
77.  
78. drop
79. --------------
80. C:\tmp\stub[1].exe
81. C:\Users\operator\AppData\Roaming\9907DCBD-0284-49DA-87E9-3F380347ACB7\ARP Service\arpsv.exe
82.  
83. # # #
84. https://www.virustotal.com/gui/file/6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26/details
85. https://www.virustotal.com/gui/file/0637afed4d69d13579b0f046e8897d4559fd0c3a4d77be16e8d00b23f6c38500/details
86. https://www.virustotal.com/gui/file/17abc93230013c514555b8c99fdc359aa73427d47b409d643dc2c6a7d20d8961/details
87. https://www.virustotal.com/gui/file/56f4a8947d55e20bc17f7e05dcc7484940c19845366c3e22ffa4f02e7cffd1cb/details
88. https://analyze.intezer.com/#/analyses/7f554b60-55ba-48f7-b83c-750c6f31a756
89.  
90. VR