{ "id": "98d200cf-5798-46c0-8263-bf703cfbc877", "created_at": "2026-04-06T00:18:49.167014Z", "updated_at": "2026-04-10T13:11:36.711764Z", "deleted_at": null, "sha1_hash": "7b6741a0101e5a553108c9123406ba9d6022056a", "title": "Malware Analysis - NanoCore", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 686971, "plain_text": "Malware Analysis - NanoCore\r\nBy Bar Magnezi\r\nPublished: 2025-02-27 · Archived: 2026-04-05 12:47:27 UTC\r\n4 minute read\r\nSample:\r\n1d52c927094cc5862349a1b81ddaf10c\r\nBackgroundPermalink\r\nNanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal\r\ninformation. It has been used for a while by numerous criminal actors, as well as by nation-state threat actors such\r\nas the Iranian group APT33.\r\nStatic Analysis - Stage 1Permalink\r\nFigure 1: Malware Bazaar Entry\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 1 of 10\n\nThis sample is detected by 20 vendors and contains multiple stages, with the analysis revealing key details,\r\nincluding the extraction of the malware’s configuration.\r\nFigure 2: Using Detect It Easy\r\nAt first, I will use DIE on the sample to gather more information about it, including the programming language in\r\nwhich it was written, as shown in Figure 2.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 2 of 10\n\nFigure 3: Using CAPA\r\nBased on the CAPA output, I speculate that this is likely only the first stage, with additional stages potentially\r\nfollowing. Furthermore, the output suggests the presence of anti-analysis techniques.\r\nFigure 4: PEStudio Output\r\nAs shown in Figure 4, multiple strings and indicators are flagged by PeStudio, providing a better understanding of\r\nthe malware’s functionality. It is most likely packed and contains Stage 2.\r\nThis malware includes anti-debugging techniques, making it more challenging to statically extract the unpacked\r\nmalware. As a result, I decided to take a different approach. The second stage was dynamically extracted from\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 3 of 10\n\nmemory after the malware was executed.\r\nDynamic Analysis - Stage 1Permalink\r\nThe behavior of the malware was as follows:\r\nA process for the first executed program was created. After a few seconds, the process was terminated, and a new\r\nprocess was created under the same name as the first process.\r\nFigure 5: New Process Creation\r\nFrom this process, a tool was executed to extract any suspicious artifacts, such as implemented PE, as shown in\r\nFigure 6.\r\nFigure 6: Extracting Artifacts\r\nStatic Analysis - Stage 2Permalink\r\nThe newly outputted PE was further analyzed using various tools.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 4 of 10\n\nFigure 7: Detect It Easy On 2nd Stage\r\nFrom the output of DIE, it was observed that the malware was written in .NET and protected with Eazfuscator, a\r\ntool designed to obfuscate .NET code to prevent reverse engineering and tampering.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 5 of 10\n\nFigure 8: CAPA Output\r\nFrom the CAPA output, we can observe significantly more details than in the previous analysis, as this is the\r\nunpacked version, revealing many more techniques and behaviors.\r\nFigure 9: PEStudio Output\r\nThis second stage was analyzed in dnSpy, a popular tool for decompiling and inspecting .NET assemblies,\r\nallowing for a deeper examination of the code and its behavior. As shown in Figure 10, this is the entry point of\r\nthe malware.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 6 of 10\n\nFigure 10: dnSpy Entry Point\r\nAfter some time spent debugging, I was able to locate and extract the malware’s configuration, as shown in Figure\r\n11.\r\nFigure 11: Malware Configuration\r\nDetails such as the C2 domain, port, run-on startup, and mutex were observed. A mutex (short for mutual\r\nexclusion) is a synchronization object used to prevent multiple processes from accessing shared resources\r\nsimultaneously, often used by malware to ensure a single instance of itself runs on the system.\r\nDecoded Malware Configuration:\r\n+ [0] [\"KeyboardLogging\", true]\r\n+ [1] [\"BuildTime\", {1/9/2025 10:54:57 AM}]\r\n+ [2] [\"Version\", {1.2.2.0}]\r\n+ [3] [\"Mutex\", {3740d544-7efc-40b2-8c32-f31974309f7d}]\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 7 of 10\n\n+ [4] [\"DefaultGroup\", \"JAMJAM01\"]\r\n+ [5] [\"PrimaryConnectionHost\", \"lxtihmjohnson163[.]airdns[.]org\"]\r\n+ [6] [\"BackupConnectionHost\", \"\"]\r\n+ [7] [\"ConnectionPort\", 43366]\r\n+ [8] [\"RunOnStartup\", true]\r\n+ [9] [\"RequestElevation\", false]\r\n+ [10] [\"BypassUserAccountControl\", true]\r\n+ [11] [\"BypassUserAccountControlData\", {byte[0x000004FE]}]\r\n+ [12] [\"ClearZoneIdentifier\", true]\r\n+ [13] [\"ClearAccessControl\", false]\r\n+ [14] [\"SetCriticalProcess\", false]\r\n+ [15] [\"PreventSystemSleep\", true]\r\n+ [16] [\"ActivateAwayMode\", false]\r\n+ [17] [\"EnableDebugMode\", false]\r\n+ [18] [\"RunDelay\", 0]\r\n+ [19] [\"ConnectDelay\", 4000]\r\n+ [20] [\"RestartDelay\", 5000]\r\n+ [21] [\"TimeoutInterval\", 5000]\r\n+ [22] [\"KeepAliveTimeout\", 30000]\r\n+ [23] [\"MutexTimeout\", 5000]\r\n+ [24] [\"LanTimeout\", 2500]\r\n+ [25] [\"WanTimeout\", 8000]\r\n+ [26] [\"BufferSize\", 65535]\r\n+ [27] [\"MaxPacketSize\", 10485760]\r\n+ [28] [\"GCThreshold\", 10485760]\r\n+ [29] [\"UseCustomDnsServer\", true]\r\n+ [30] [\"PrimaryDnsServer\", \"8.8.8.8\"]\r\n+ [31] [\"BackupDnsServer\", \"8.8.4.4\"]\r\nDynamic Analysis - Stage 2Permalink\r\nAfter running the malware, more information was revealed, such as registry manipulation, changes to file\r\nlocations, access to the camera, and keylogging techniques.\r\nFigure 12: TCPView Trying To Establish Connection\r\nAfter a restart, the malware starts from a new location under the name “ddpss”, attempting to impersonate a\r\nlegitimate process.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 8 of 10\n\nFigure 13: Process Starts Under a New Name\r\nIn Autoruns, it was observed that a new entry was added under ‘Logon,’ indicating that this process will start after\r\nthe computer boots up.\r\nFigure 14: Autoruns Entry \"Logon\"\r\nNetwork AnalysisPermalink\r\nUsing Wireshark, a C2 domain was discovered, which matched the domain found in the malware’s configuration,\r\nconfirming that this is the real configuration for the malware.\r\nFigure 15: Wireshark C2 Domain\r\nSummaryPermalink\r\nNanoCore is a remote access Trojan (RAT) linked to Iranian threat actor APT33. It features multiple stages, anti-analysis techniques, and obfuscation. During analysis, I extracted its configuration, which revealed C2 domains,\r\nmutexes, bypass UAC, and other key details. The malware ensures persistence across reboots by impersonating\r\nlegitimate processes and manipulating the registry.\r\nIOCsPermalink\r\nHash:\r\n1d52c927094cc5862349a1b81ddaf10c\r\n6a6a79c0c2208774bfb564576ee1c25c\r\nDomain:\r\nlxtihmjohnson163[.]airdns[.]org\r\ntunhost[.]duckdns[.]org\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 9 of 10\n\nIP:\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/NanoCore/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://0xmrmagnezi.github.io/malware%20analysis/NanoCore/" ], "report_names": [ "NanoCore" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434729, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b6741a0101e5a553108c9123406ba9d6022056a.pdf", "text": "https://archive.orkl.eu/7b6741a0101e5a553108c9123406ba9d6022056a.txt", "img": "https://archive.orkl.eu/7b6741a0101e5a553108c9123406ba9d6022056a.jpg" } }