Dissecting NanoCore Crimeware Attack Chain - Yoroi
Common Information
Type Value
UUID a8807f24-e57b-4b53-8e00-901e9e443407
Fingerprint bc151d116da286b1
Analysis status DONE
Considered CTI value 2
Text language
Published June 14, 2019, 10:12 a.m.
Added to db Jan. 18, 2023, 9:10 p.m.
Last updated Dec. 25, 2024, 5:33 a.m.
Headline Dissecting NanoCore Crimeware Attack Chain
Title Dissecting NanoCore Crimeware Attack Chain - Yoroi
Detected Hints/Tags/Attributes 48/3/14
Attributes
Details Type #Events CTI Value
Details Domain 80
schemas.microsoft.com
Details File 1
trasferimento.exe
Details File 1
non.exe
Details File 268
schtasks.exe
Details File 1
c:\users\admin\appdata\local\temp\tmpc5a7.tmp
Details File 1
c:\users\admin\appdata\local\temp\tmpcb59.tmp
Details File 1
c:\users\admin\desktop\trasferimento.exe
Details sha256 1
8274313b5b1e941a67b54e9f311094f2f56a3afe97820ad03560d9885a60b71b
Details sha256 1
52d73eee176a2ff30af7e386809b94ef1c4918f131f8de1e2b66915ab8cc3790
Details IPv4 1
79.134.225.41
Details IPv4 15
1.2.2.0
Details IPv4 1
185.244.31.50
Details Url 20
http://schemas.microsoft.com/windows/2004/02/mit/task
Details Yara rule 1
import "pe"

rule Delphi_Loader_NanoCoreRAT {
	meta:
		description = "Yara Rule for Delphi Loader and embedded NanoCore RAT"
		author = "Cybaze - Yoroi ZLab"
		last_updated = "2019-06-12"
		tlp = "white"
		category = "informational"
	strings:
		$s1 = "IE(AL(\"%s\",4),\"AL(\\\"%0:s\\\",3)\",\"JK(\\\"%1:s\\\",\\\"%0:s\\\")\")"
		$a1 = "#=qP05CRmbt2pJg10eRU50wu1vx$mfteEn$pCn9SEbehP8="
		$a2 = "NanoCore"
		$a3 = { 69 73 34 31 74 49 58 4D }
		$b1 = "<*t\"<0r=<9w9i"
	condition:
		pe.number_of_resources == 73 and $s1 or 1 of ($a*) and $b1
}