File name:

nano.exe

Full analysis: https://app.any.run/tasks/63edd4fa-61a5-446c-bfcf-c291b0031dd5
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 08, 2023, 16:44:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

2AA7DEC44F3808E653B5F6E3F1835E45

SHA1:

8A2546263849DD38E04177633EFFCE6A58814E06

SHA256:

A7A90A8026BCC938E74F035972D1DCF2EC46250A8C75F97A947401678FA02D79

SSDEEP:

24576:TrQBWYn4/fv/waJG7bruWxG2ja7wL1TbzOFXg/NNr:TrQBWYn4/fv/waJG7bruWxG2ja7wRTb7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nano.exe (PID: 3128)
      • nano.exe (PID: 3612)

    • NANOCORE has been detected (YARA)

      • nano.exe (PID: 3612)

  • SUSPICIOUS

    • Starts itself from another location

      • nano.exe (PID: 3128)

    • Connects to unusual port

      • nano.exe (PID: 3612)

  • INFO

    • Checks supported languages

      • nano.exe (PID: 3128)
      • nano.exe (PID: 3612)

    • Reads the computer name

      • nano.exe (PID: 3128)
      • nano.exe (PID: 3612)

    • Create files in a temporary directory

      • nano.exe (PID: 3128)

    • Reads the machine GUID from the registry

      • nano.exe (PID: 3612)
      • nano.exe (PID: 3128)

    • Process checks are UAC notifies on

      • nano.exe (PID: 3612)

    • Creates files or folders in the user directory

      • nano.exe (PID: 3612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(3612) nano.exe
KeyboardLoggingTrue
BuildTime2021-06-29 12:39:45.485696
Version1.2.2.0
Mutex7eb2a8f7-a639-4f9c-9b52-ee4a8723b0ee
DefaultGroupDefault
PrimaryConnectionHostluda.ydns.eu
BackupConnectionHostluda.ydns.eu
ConnectionPort5498
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServerluda.ydns.eu
BackupDnsServerluda.ydns.eu
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2072:11:04 17:16:30+01:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 503808
InitializedDataSize: 70144
UninitializedDataSize: -
EntryPoint: 0x7cf8e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.3.2.0
ProductVersionNumber: 6.3.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: AnyDesk
CompanyName: AnyDesk Software GmbH
FileDescription: AnyDesk
FileVersion: 6.3.2.0
InternalName: nano.exe
LegalCopyright: (C) 2021 AnyDesk Software GmbH
LegalTrademarks: -
OriginalFileName: nano.exe
ProductName: AnyDesk
ProductVersion: 6.3.2.0
AssemblyVersion: 6.3.2.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start nano.exe no specs #NANOCORE nano.exe

Process information

PID
CMD
Path
Indicators
Parent process
3128"C:\Users\admin\Desktop\nano.exe" C:\Users\admin\Desktop\nano.exeexplorer.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
6.3.2.0
Modules
Images
c:\users\admin\desktop\nano.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3612C:\Users\admin\AppData\Local\Temp\nano.exeC:\Users\admin\AppData\Local\Temp\nano.exe
nano.exe
User:
admin
Company:
AnyDesk Software GmbH
Integrity Level:
MEDIUM
Description:
AnyDesk
Exit code:
0
Version:
6.3.2.0
Modules
Images
c:\users\admin\appdata\local\temp\nano.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Nanocore
(PID) Process(3612) nano.exe
KeyboardLoggingTrue
BuildTime2021-06-29 12:39:45.485696
Version1.2.2.0
Mutex7eb2a8f7-a639-4f9c-9b52-ee4a8723b0ee
DefaultGroupDefault
PrimaryConnectionHostluda.ydns.eu
BackupConnectionHostluda.ydns.eu
ConnectionPort5498
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServerluda.ydns.eu
BackupDnsServerluda.ydns.eu
Total events
304
Read events
304
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3128nano.exeC:\Users\admin\AppData\Local\Temp\nano.exeexecutable
MD5:2AA7DEC44F3808E653B5F6E3F1835E45
SHA256:A7A90A8026BCC938E74F035972D1DCF2EC46250A8C75F97A947401678FA02D79
3612nano.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:2AA7DEC44F3808E653B5F6E3F1835E45
SHA256:A7A90A8026BCC938E74F035972D1DCF2EC46250A8C75F97A947401678FA02D79
3612nano.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:27461FED12C9C87CBAEFFBF6ED1925A7
SHA256:AB403D17A8CCF3344C75FDACF8D9665912495DB87CA17E62022C4D7FDB245307
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3612
nano.exe
195.133.40.5:5498
luda.ydns.eu
Delis LLC
CZ
unknown

DNS requests

Domain
IP
Reputation
luda.ydns.eu
  • 195.133.40.5
malicious

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nano.exe