This article provides an in-depth analysis of a NanoCore Remote Access Trojan (RAT) sample identified by the hash 18B476D37244CB0B435D7B06912E9193, highlighting its behavior, obfuscation techniques, persistence methods, and communication with command-and-control (C2) servers. Affected: Cybersecurity, Victims of Data Theft
Keypoints :
- NanoCore is a Remote Access Trojan used for espionage and data theft.
- The analyzed sample has a specific MD5 hash denoted as 18B476D37244CB0B435D7B06912E9193.
- The sample employs Eazfuscator obfuscation to hinder analysis.
- Deobfuscation with de4dot allows for the recovery of readable code.
- NanoCore uses Windows Task Scheduler for persistence and C2 communication.
- The RAT connects to the potential C2 domain simpletest.ddns.net and established a connection to Google DNS (8.8.8.8).
- It creates registry entries for persistence and drops malware components in hidden directories.
- Features a modular plugin system, enhancing spyware capabilities with the SurveillanceEx plugin.
- Data exfiltration activities include capturing keystrokes and screenshots.
- Indicators of Compromise (IOCs) identified include file hashes, network connections, and registry changes.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malware communicates with a remote C2 server over a defined port.
- T1059.001: Command and Scripting Interpreter: PowerShell – Uses Windows Task Scheduler commands to maintain persistence.
- T1047: Windows Management Instrumentation – Leverages Windows features for operational aspects.
- T1083: File and Directory Discovery – The malware searches for files and directories to exfiltrate sensitive data.
Indicator of Compromise :
- [File Hash] 18B476D37244CB0B435D7B06912E9193
- [Registry Key] HKCUSoftwareMicrosoftWindowsCurrentVersionRunsaasmon.exe
- [File Path] C:Program Files (x86)SAAS Monitorsaasmon.exe
Full Story: https://malwr-analysis.com/2025/02/10/nanocore-rat-malware-analysis/
Views: 26