| File name: | NanoCore RAT 1.2.2.0.zip |
| Full analysis: | https://app.any.run/tasks/48ec0a57-b481-4e3e-a0be-a4479f9a023c |
| Verdict: | Malicious activity |
| Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
| Analysis date: | September 15, 2024, 18:44:23 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=store |
| MD5: | F2549C20E2F9F1A53F3664C2D514B9CF |
| SHA1: | 24F15B846F6FBCDBC0E8A42ED5DC50946579B9E2 |
| SHA256: | 4E1210DCA7C2620E3C008DB891954CB32755CA65ECDE01C5CE4F634938278491 |
| SSDEEP: | 98304:BCivIvnmTJBGCTjKn9DcydDwaJp9WJlPyx0xu4lQJ7/VfXgcWVXwDsG/C4zvnTyy:9E7amKwsb0nYSnlSkbX |
MALICIOUS
NANOCORE has been detected (YARA)
- NanoCore.exe (PID: 6180)
SUSPICIOUS
Checks for external IP
- NanoCore.exe (PID: 6180)
INFO
Manual execution by a user
- WinRAR.exe (PID: 1480)
- NanoCore.exe (PID: 6180)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1480)
Disables trace logs
- NanoCore.exe (PID: 6180)
Reads the computer name
- NanoCore.exe (PID: 6180)
Checks supported languages
- NanoCore.exe (PID: 6180)
Reads the machine GUID from the registry
- NanoCore.exe (PID: 6180)
The process uses the downloaded file
- WinRAR.exe (PID: 1480)
Checks proxy server information
- NanoCore.exe (PID: 6180)
- slui.exe (PID: 6488)
Sends debugging messages
- NanoCore.exe (PID: 6180)
.NET Reactor protector has been detected
- NanoCore.exe (PID: 6180)
Reads the software policy settings
- slui.exe (PID: 6488)
- slui.exe (PID: 5172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Nanocore
(PID) Process(6180) NanoCore.exe
ERROR
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2019:11:17 06:57:26 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | NanoCore RAT 1.2.2.0/ |
Total processes
137
Monitored processes
7
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1480 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0.zip" C:\Users\admin\Desktop\ | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 1920 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2080 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 5172 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | SppExtComObj.Exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6180 | "C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\NanoCore.exe" | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\NanoCore.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: NanoCore Version: 1.2.2.0 Modules
Nanocore(PID) Process(6180) NanoCore.exe ERROR | |||||||||||||||
| 6488 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6568 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 299
Read events
3 265
Write events
34
Delete events
0
Modification events
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0.zip | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2080) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | psize |
Value: 80 | |||
Executable files
8
Suspicious files
11
Text files
337
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\Databases\geolocation.sqlite | sqlite | |
MD5:0E8D861CDDEDE3A0B2B02CFC0B060B99 | SHA256:11BD851D8994D3CA9D078144679AA2DC06841ADDD0947B8FA8AD36758BDECF7A | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\Plugins\CorePlugin.ncp | binary | |
MD5:7914E7302F72D330AA5F6C5C8C26DF43 | SHA256:F66985518B1E56A04F512D110F5B79F21ED91CBCBF6BD3E17EBA3DCDFB85F9B5 | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\ClientPlugin.xml | xml | |
MD5:5D0381A56563B1CA8928E3CF087F1625 | SHA256:0497B92461C2A9CE3101D9397FB3079F60979164336A16653D282273D3085BCC | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\client.bin | executable | |
MD5:906A949E34472F99BA683EFF21907231 | SHA256:9D3EA5AF7DC261BF93C76F55D702A315AA22FB241E4207DC86CD834C262245C8 | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\ClientPlugin.dll | executable | |
MD5:BDC8945F1D799C845408522E372D1DBD | SHA256:61E9D5C0727665E9EF3F328141397BE47C65ED11AB621C644B5BBF1D67138403 | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\Databases\main.sqlite | binary | |
MD5:8B25E101BCEF867CE355AD7BFDCAAEC8 | SHA256:BC214403975F7F733BE9455B0076BB3F9A7471AA5ECFFE6AC7DB06F9111F0CE0 | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\NanoCore.exe | executable | |
MD5:33FCC2383C9B90EAB547D6C43FA2E475 | SHA256:E7FB74EB2170E30BF6650F9E5FC2C60F68F3532CEE3E0309DE503A19CD7647C6 | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\PluginCompiler.exe | executable | |
MD5:E2D1C5DF11F9573F6C5D0A7AD1A79FBF | SHA256:0B41B2FCD0F1A4E913D3EFE293F713849D59EFEBB27BAC060AB31BED51AC2F6B | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\Plugins\ToolsPlugin.ncp | binary | |
MD5:699EB468E7D6BEE9C429923B5B477545 | SHA256:D753BC28D842E44FFBF6CF99314FEBE5ED7759B25A74CA34A47FDD153BF2A6AB | |||
| 1480 | WinRAR.exe | C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\Plugins\SecurityPlugin.ncp | binary | |
MD5:44BD68199BB393D0EEB7AE83B56D9B9F | SHA256:25B1B0836838740D394CD35EAEFC660E9EABEB611A701A451EB1119F6427FC12 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
18
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7008 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
6180 | NanoCore.exe | GET | 200 | 104.26.12.205:80 | http://api.ipify.org/ | US | text | 11 b | whitelisted |
6416 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
5112 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | DE | binary | 407 b | whitelisted |
6180 | NanoCore.exe | GET | 200 | 104.26.12.205:80 | http://api.ipify.org/ | US | text | 11 b | whitelisted |
5112 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | DE | binary | 419 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
7008 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6056 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
7008 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7008 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3260 | svchost.exe | 40.115.3.253:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6180 | NanoCore.exe | 104.26.12.205:80 | api.ipify.org | CLOUDFLARENET | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
api.ipify.org |
| shared |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org) |
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup api.ipify.org |
2256 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org) |
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup api.ipify.org |
6180 | NanoCore.exe | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
Process | Message |
|---|---|
NanoCore.exe | Trying to load native SQLite library "C:\Users\admin\Desktop\NanoCore RAT 1.2.2.0\NanoCore 1.2.2.0 Cracked By Alcatraz3222_Final\x86\SQLite.Interop.dll"...
|