{ "id": "34a88ffa-6aee-47c7-b198-4494610be892", "created_at": "2026-04-06T00:09:26.505959Z", "updated_at": "2026-04-10T03:23:51.247437Z", "deleted_at": null, "sha1_hash": "fc88f4052b7fc9bda472f445f6d022cc92880914", "title": "Decrypting NanoCore config and dump all plugins", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1964294, "plain_text": "Decrypting NanoCore config and dump all plugins\r\nBy NexusFuzzy\r\nPublished: 2020-09-10 · Archived: 2026-04-05 14:41:03 UTC\r\nPress enter or click to view image in full size\r\nEven after the arresting of the developer NanoCore remains relevant due to its cracked versions\r\nWhile the original author of NanoCore was arrested back in 2017 and plead guilty, pirated copies of his creation\r\nkeep floating around the internet making it available to even the most amateurish “threat actors”.\r\nAs stated in my other article about AgentTesla, the main focus for an analyst should be to squeeze out the IOCs\r\n(Indicators of compromise) as fast as possible to be able to move on to more interesting threats. That’s why I\r\ncreated a decryptor for NanoCore which does not only dump the config but also all used plugins.\r\nThe dissection\r\nNanoCore comes with a comfortable to use Server/Builder which doesn’t need any technical experience at all:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 1 of 6\n\nThe builder for NanoCore\r\nIn cases of those builders, most of the time the “client” which gets distributed to victims remains the same, just the\r\nconfiguration gets embedded in one way or another so this is the first step in our process: Finding out how the\r\nplugins and config are getting embedded in the client.\r\nFor this reason, I built my own client and used de4dot to deobfuscate the created file:\r\nPress enter or click to view image in full size\r\nAs you may notice on the path I’m using one of the cracked versions of NanoCore\r\nAfterwards you can open up the sample in dnSpy and begin reversing the sample as you normally would. During\r\nthis process I found an interesting function:\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 2 of 6\n\nPress enter or click to view image in full size\r\nSo what does this mean? Well, it’s a strong indicator that the client is accessing its native resource(s) which could\r\nbe the perfect place to embed a dynamic configuration. Let’s dig deeper…\r\nGet NexusFuzzy’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAfter anaylizing where those functions are used I stumbled across this function:\r\nPress enter or click to view image in full size\r\nLooks like our assumption was right!\r\nWhat this function does, is to find a resource by its number and afterwards loading its content into a byte array.\r\nLet’s have a look at this resource with Resource Hacker, maybe we can find some clear text strings for a quick\r\nwin:\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 3 of 6\n\nPress enter or click to view image in full size\r\nDoesn’t look really readable to be honest\r\nCould it be that the resource is encrypted? Let’s have a look! To see this we follow the rabbit hole and see where\r\nour function to load the resource is referenced:\r\nPress enter or click to view image in full size\r\nDon’t mind that my functions have other names than the original binary\r\nIf we open up this function we can see some interesting things:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 4 of 6\n\nLet’s examine the interesting parts:\r\nFirst, it’s getting the Guid of itsself and passing this guid together with 4 byte integer to some sort of decryption\r\nmethod:\r\nPress enter or click to view image in full size\r\nThe returning byte array is used to initialize a DES encryptor \u0026 decryptor using the byte array as Key and IV:\r\nPress enter or click to view image in full size\r\nThis decryptor is then used to decrypt the config and plugins.\r\nLet’s summarize: First, it’s getting its guid and uses it to get the key itsself which was used to encrypt the resource\r\nfile. The fact, that the Guid is created by the server randomly for every new client which is build lead me to the\r\ninitial conclusion that you have to extract the Guid from the sample to dynamically dump the config — Well, I\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 5 of 6\n\nwas wrong. The guid changes but the key remains the same so you could skip this step but I left it in my tool since\r\nthis may change from version to version and I would like to keep it dynamically.\r\nAfter having realized how those steps are working together I was able to come up with a decryptor which you can\r\nfind in my GitHub repo called NanoDump.\r\nPress enter or click to view image in full size\r\nSource of NanoDump\r\nAs you can see, I replicated the neccessary steps to reach the goal to decrypt and dump the details of NanoCore.\r\nIf you have any questions, feel free to drop me a message on Twitter or open a GitHub issue!\r\nSource: https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab6736915\r\n2ceb0332\r\nhttps://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332" ], "report_names": [ "decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fc88f4052b7fc9bda472f445f6d022cc92880914.pdf", "text": "https://archive.orkl.eu/fc88f4052b7fc9bda472f445f6d022cc92880914.txt", "img": "https://archive.orkl.eu/fc88f4052b7fc9bda472f445f6d022cc92880914.jpg" } }