Rewterz Threat Alert – Nanocore RAT – IOCs

Severity

High

Analysis Summary

NanoCore is high-risk trojan, a remote access tool (RAT). In most cases, this malware is proliferated using spam email campaigns. Criminals send thousands of deceptive emails that contain malicious attachments. Once opened, these files immediately infect computers with viruses such as NanoCore. The presence of this malware can cause serious issues, since the malware distributor gains remote access to the infected system.

Impact

• Credential theft 
• Exposure of sensitive information

Indicators of Compromise

URL

• http[:]//admindepartment[.]ir/notepaq/bknu[.]exe
• http[:]//5[.]135[.]73[.]86/zero[.]exe
• http[:]//35[.]157[.]92[.]120/nass[.]exe
• http[:]//5[.]135[.]73[.]120/zero[.]exe
• https[:]//vwl0ka[.]bn[.]files[.]1drv[.]com/y4mRiCSo8-5MIgge9SHqjjrlvOUo4lZm9X3aMjoB8jwHDw7gTeoUD4j33TXGb2pJwHZsd59RXxGpClZ4WZrntjGmOMGB2sWMrZBtmYbP5kRfqmnlb_nTpBmBfyyuwaRcLrSExxRMC9AR9QJ23jrOq5E1bEg_9rb5EpjHYF_x_5fZfIHnDuuGgV5rXGR7HOY8B6HNkb5dxx-BeVQ-KPh96kxA/Pago%20reporte[.]pdf[.]zip?download&psid=1
• https[:]//huh[.]canto[.]com/rest/share/album/LO5OM/rest/binary/other/plehtpdqal747842kiuc2v4272/download
• https[:]//qh6ohq[.]am[.]files[.]1drv[.]com/y4mKvN4YtqicreVRmeKrzj3O7LBsBy0CqClbnUsreVobuTViiFjVjwiUrWxy3XVDjd8jjR6fdsVtjH4w63lubG7EaOhre5KB6XRrca4trVo5yhUx9BxQCTzdoeLh3VHlnji5fvBXyhLjDkDpH4LwF8hxAuKaoLqLqbmEB5OdBmeLjEGnhmR9wulombFzBTFsBiaFM3qqFJiYKKxXuAPMSkQ/SWIFT%20COPY[.]z?download&psid=1
• https[:]//greenhillsrishikesh[.]com/nel[.]exe
• https[:]//s3[.]rokket[.]space/t_fr7OUh[.]txt
• http[:]//cdn[.]discordapp[.]com/attachments/600109736821784578/638103447845077082/svchost[.]exe

Remediation

• Block all threat indicators at your respective controls. 
• Search for IOCs in your environment.