Nanocore

7
Global rank
17
Month rank
15
Week rank
12437
IOCs

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Trojan
Type
USA
Origin
1 January, 2013
First seen
2 June, 2023
Last seen

How to analyze Nanocore with ANY.RUN

Trojan
Type
USA
Origin
1 January, 2013
First seen
2 June, 2023
Last seen

IOCs

IP addresses
3.142.167.4
213.152.161.211
209.25.141.212
194.147.140.103
3.64.4.198
209.25.141.194
209.25.141.223
208.67.107.146
18.141.129.246
192.169.69.26
18.192.31.165
18.158.249.75
3.125.223.134
3.124.142.205
212.193.30.230
79.134.225.22
3.17.7.232
188.226.118.231
35.212.156.187
147.185.221.212
Hashes
70d856cfc4e27c7ca18c939fd13fb989a308c64c0cd78d5d6f07759cc355c3db
e7fb74eb2170e30bf6650f9e5fc2c60f68f3532cee3e0309de503a19cd7647c6
04fe2efc892947f7b11d2cf4e4d74ee9e82b2bf36dd96e3806ea6fd771234306
bb8ae405287ca7f304bf12cbff03bdd410b24285eb70f6f88fdd8ed6a7140214
ea0ea4729478c90a6142ce14f977c069b6603d405672382a59f9b1eba1777f85
55a7f19de08457c58280d3670165681f5f87cfced7f858d8fc6265662d9a7e8c
a23792955b43cec1232c7fdb9da7216fd2141f2a59e437b8defb29e9d1ab42b8
ec1c20a7a62c104b0b342e5667d3c480a3e8de76fd28bc391b12199ebb9a44f9
9986462b72acae9cd44ad422abe31e33cdeb2cc606085a92063d2047745bc3bf
37330216e13fe31d42693ba6efba497a220ede61f1a4c32ed2fdf65cf176827c
7d5d439cf54cb198ccb16973bf2a8f59f7f1acbe1e4bc90a70862dbc2ff36489
c51e38bbeb14d2047134893e1dada6256b0eab268443823d78d058b6e4e53788
c9d18a1b1a39db5e09d10cd84177ed3aed829eff64489ff38f229e8d35761b18
d35fbcf7d26affe84fdbe566e191c58080a8dfd48375e42135fcb0adc3fdae7f
65b7f6693dd8733c3b8f155eb82d91176901dc35e7d3ac80cb10a15a72c7348b
a0d882fef55b86fcc9c560256a05586ee6be57c54d21d92d16de40ca0ac71ca2
8fde1255903d79d23132c90ac97cd2242e8ec2dcd01587a3ab4018aa38b4f3ce
b2d01b01300992db91f03d6911d6a3aea237fff33806fba76499530e1a32d9cc
e1d52fa44cdb5622ac262c05ce7e783f5ca3142fe3dce0f1d389a6f03d69d185
c981db71e0f46301ee4e0b65e3bbc7a71d0b4838d1ed269ea4a6f1d3e0b9786c
Domains
joemclean.duckdns.org
microsoftfixer.duckdns.org
fevertoxs.duckdns.org
adenere.duckdns.org
fevertox.duckdns.org
8.tcp.ngrok.io
frederikkempe.com
majul.com
njxyro.ddns.net
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
5.tcp.eu.ngrok.io
music-avatar.at.playit.gg
msn-she.at.playit.gg
qxq.ddns.net
vcctggqm3t.dattolocal.net
opportunity-essential.at.ply.gg
already-herein.at.ply.gg
art-novelty.at.ply.gg
should-conjunction.at.ply.gg
hold-oo.at.ply.gg
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 306
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5380
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3235
comments 3

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of the NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive for the company's cybersecurity.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility, ease of use, and a bunch of information on NanoCore are still contributing to its growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General Information about NanoCore RAT

According to the analysis, NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For crooks that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice criminals to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to perform the analysis of the lifecycle of the trojan or other malware such as WSHRAT or Vidar. We can watch NanoCore behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file script will download the payload while the rest are decoys that ensure the malicious content goes unnoticed by the system's security.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore RAT execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

According to the RAT analysis, once the script file is opened an embedded macros download an executable script file and rename it. The downloaded executable file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore malware using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by a quick analysis of the files and scripts created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, customization, and plenty of information, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since its malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up an appropriate cybersecurity response.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy