{
	"id": "f4bddda9-68b6-4ac5-a808-ce7de9eb9c00",
	"created_at": "2026-04-06T00:19:00.011983Z",
	"updated_at": "2026-04-10T03:21:28.592096Z",
	"deleted_at": null,
	"sha1_hash": "e40a2cbf9d39fda294d1d011e6b9045ef553487d",
	"title": "The NanoCore RAT Has Resurfaced From the Sewers - Cofense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 693546,
	"plain_text": "The NanoCore RAT Has Resurfaced From the Sewers - Cofense\r\nPublished: 2018-03-02 · Archived: 2026-04-05 19:23:21 UTC\r\nThe Cofense™ Phishing Defense Center has observed several e-mails attempting to deliver a popular variant of a Remote\r\nAccess Trojan (RAT) malware that appears to have recently resurfaced: NanoCore. \r\nFigure 1 shows an example of one of the emails we received.\r\nFigure 1: Email delivering NanoCore RAT\r\nHow it works.\r\nThe email purports to be a payment confirmation that was sent from the accounts department of a company called Dia\r\nExports derived from the sender’s email address (accounts@diaexports.com).\r\nThe ‘View’ and ‘Download’ links in Figure 1 navigate to the same page:\r\nhxxps://dl[.]dropboxusercontent[.]com/content_link/75XIYjUXQ0GoDIX4zQHBaBdvhrAz3vHUvjG99GtZ8aXMF85hKCgdDiD1SYobP\r\ndl=1\r\nThe website downloads a compressed RAR archive named “SWIFT- (followed by random letters and numbers)” and once\r\nextracted contains a JavaScript file.\r\nExecuting this JavaScript file causes a temporary VBScript file to be written to the directory:\r\nC:UsersFisherAppDataLocalTemp as shown in Figure 2.\r\nhttps://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nPage 1 of 5\n\nFigure 2: Temporary VBS file which initiates the download of the NanoCore RAT\r\nThe VBScript file is then executed which in turn causes an executable file to be downloaded from the payload domain\r\nchantracomputer[.]com as seen in Figure 3.\r\nFigure 3: Download request that is made to the payload domain\r\nThe process YSI.exe is spawned which then creates the following directory:\r\nC:UsersTestAppDataLocalTempsubfolder\r\nThe files “firefox.exe” and “firefox.vbs” are also created under this directory. The process “YSI.exe” is terminated and the\r\nVBScript “firefox.vbs” runs. Let’s take a closer look at this VBScript file depicted in Figure 4.\r\nFigure 4: VBS startup script for the NanoCore RAT\r\nAs you can see from the VBScript file, the commands in the script are invoked using the wscript shell. It does two things: it\r\ncreates a “RunOnce” key in the registry so that the VBScript is executed each time the user logs on the machine (indicating\r\npersistence) and second, the VBScript runs the executable file “firefox.exe”.\r\nOnce the process “firefox.exe” is running, we can see that a connection is now established to the command and control\r\nserver shown in Figure 5.\r\nhttps://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nPage 2 of 5\n\nFigure 5: NanoCore RAT making a connection to its C2 server\r\nThe process also creates a new folder under the directory C:UsersFisherAppDataRoaming displayed in Figure 6.\r\nFigure 6: New directory created by the NanoCore RAT\r\nThis directory contains other indicators to support the fact that a RAT is installed on the infected machine (Figure 7).\r\nFigure 7: Directory created by the NanoCore RAT containing binary data\r\nDumping the memory contents of the process “firefox.exe” reveals that this particular RAT belongs to the NanoCore family,\r\nshown in Figure 8.\r\nhttps://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nPage 3 of 5\n\nFigure 8: Memory dump confirming the family of RATs that we are dealing with is NanoCore\r\nWhy RATs are popular—and steps you can take if you’re infected.\r\nNanoCore is a type of Remote Access Trojan (RAT) first discovered back in 2013. The very first versions of the RAT were\r\nmade available on the dark web not too soon after its initial discovery.\r\nIn 2015, a paid version of NanoCore was made available on the open Internet. However, free, cracked versions were quickly\r\nleaked, which most likely led to its widespread use and popularity among underground criminals.\r\nNanoCore is a modular RAT which means that the threat actor can expand its functionality by installing additional modules\r\nbased on his or her own needs. This is what makes NanoCore so desirable to criminals.\r\nIf you suspect that you are infected with a RAT, consider confirming this first. This can be done by monitoring network\r\nconnections and looking for any unexpected connections on an open port. Netstat is a great utility which allows you to view\r\nall active and listening TCP and UDP ports on a local machine.\r\nIf you have identified that your machine is indeed infected, we recommend disconnecting your machine from the Internet to\r\nprevent the malicious actor from probing your machine and causing any further damage. Process Hacker is another tool\r\nwhich can help you to identify the malware process and like Netstat, it can also show you active and listening TCP and UDP\r\nconnections as well as the processes that are connected to it. The registry is a good place to look as most malware typically\r\nwrite to it for persistence on the victim’s machine. Checking the “AppData/Local/Temp” directory is another great place to\r\nfind indicators of compromise.\r\nSign up for free threat alerts. Get phishing and malware trends delivered to your inbox: https://cofense.com/threat-alerts/\r\nhttps://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nPage 4 of 5\n\nSource: https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nhttps://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/"
	],
	"report_names": [
		"nanocore-rat-resurfaced-sewers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e40a2cbf9d39fda294d1d011e6b9045ef553487d.pdf",
		"text": "https://archive.orkl.eu/e40a2cbf9d39fda294d1d011e6b9045ef553487d.txt",
		"img": "https://archive.orkl.eu/e40a2cbf9d39fda294d1d011e6b9045ef553487d.jpg"
	}
}