win.nanocore (Back to overview)

Nanocore RAT

Actor(s): APT33, The Gorgon Group

URLhaus              

There is no description at this point.

References
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://goggleheadedhacker.com/blog/post/11
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/
Yara Rules
[TLP:WHITE] win_nanocore_w0 (20170517 | No description)
rule win_nanocore_w0 {
    meta:
        author = " Kevin Breen <kevin@techanarchy.net>"
        date = "2014/04"
        ref = "http://malwareconfig.com/stats/NanoCore"
        maltype = "Remote Access Trojan"
        filetype = "exe"
		source = "https://github.com/mattulm/sfiles_yara/blob/master/malware/NanoCore.yar"
        malpedia_version = "20170517"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $a = "NanoCore"
        $b = "ClientPlugin"
        $c = "ProjectData"
        $d = "DESCrypto"
        $e = "KeepAlive"
        $f = "IPNETROW"
        $g = "LogClientMessage"
		$h = "|ClientHost"
		$i = "get_Connected"
		$j = "#=q"
        $key = {43 6f 24 cb 95 30 38 39}


    condition:
        6 of them
}
Download all Yara Rules