Our Cyber Lab received a request to analyse a potentially malicious file attachment which was distributed via email to a client. The malicious file was first statically analysed and then deployed in a virtualised environment to observe its behaviour. The following report below details the results of this analysis, and contains the following information:
The malware arrived via an email attachment and was flagged by local anti-virus software. The malicious attachment contained a single disk image .img file, inside of which is a Windows Portable Executable (PE) binary.
|Targeted OS:||Windows NT 32-bit|
The PE binary was extracted and uploaded to VirusTotal for initial automated static and dynamic analysis. 41 out of 69 antivirus engines positively identified the file as malicious software, with almost all of them identifying the file as a variant of the Nanocore Remote Access Trojan (RAT). The behaviour observed in our own virtualised analysis also suggests we are dealing with nanocore.
When deployed in a virtualised Windows environment the malicious binary exhibited the following behaviour:
Nanocore is a Remote Access Trojan which first appeared in 2012 and was originally sold by the author for $25 on his website nanocore.io, with the author selling his tool under the guise of a ‘Remote Administration Tool’. The website boasted the software to have the following features:
The plugin list is extensive; a few of the plugins available are listed below:
The author, Taylor Huddleson, was eventually arrested in 2016 and in 2018 sentenced to 33 months in prison.
The following is a time-specific breakdown of the behaviours of the malware sample:
For our latest research, and for links and comments on other research, follow our Lab on Twitter.