> Analysis · fe81691f1998_

~/packetpursuit $ cat /intel/analyses/fe81691f1998.../report.md

typeanalysisfamilynanocoreconfidencehighcreated2026-06-02updated2026-06-02dotnetmalware-familyratc2obfuscationpersistence
SHA-256: fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5

nanocore: fe81691f — VB.NET ConfuserEx dropper, NanoCore v1.2.2.0 RAT

Executive Summary

A 203 KB PE32 .NET assembly (okfun.exe) carrying the NanoCore RAT client (v1.2.2.0) inside a heavy ConfuserEx obfuscation layer. Built from Visual Basic .NET (My Application Framework), compiled in February 2015, and deployed with a high-entropy resource payload in .rsrc that contains an embedded ZIP archive. No static C2 hardcoded; network settings appear runtime-resolved via the builder. Static-only analysis — Windows CAPE guest was unavailable. ^[file.txt] ^[strings.txt]

What It Is

Property Value Provenance
SHA-256 fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5 metadata.json
File name okfun.exe metadata.json
Size 207,872 bytes (203 KB) metadata.json
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, 3 sections file.txt
Timestamp Sun Feb 22 00:49:37 2015 UTC pefile.txt
Linker .NET Framework v2.0.50727 (CLR 2.0) strings.txt:51
Language Visual Basic .NET (My.Application framework) strings.txt:1666, strings.txt:1669
RAT version NanoCore Client 1.2.2.0 strings.txt:1639, strings.txt:1676
Obfuscator ConfuserEx (massive #=q… mangling, 1,039 instances) strings.txt:278+, custom count
Signed No (stripped, unsigned) pefile.txt:173-186

The binary is the compiled client payload for NanoCore, a commodity .NET-based remote-access trojan. The original source was likely assembled by the NanoCore builder and then passed through ConfuserEx to strip names, encrypt resources, and impede static recovery. ^[strings.txt:55] ^[strings.txt:57-64]

How It Works

Loader / Startup

  1. The PE is a standard .NET EXE with a single import (mscoree.dll!_CorExeMain) ^[pefile.txt:199].
  2. On CLR bootstrap, execution reaches ClientLoaderForm.Main (the entry point identified in radare2) ^[r2:method.ClientLoaderForm.Main].
  3. The VB.NET My.Application template auto-generates a hidden Windows Forms wrapper; ClientLoaderForm is created as invisible (set_Visible, set_ShowInTaskbar, set_WindowState) ^[strings.txt:1641-1644].
  4. The IClientApp interface (NanoCore plugin contract) is instantiated, which triggers the network layer, registry operations, and plugin loading.

Obfuscation

  • Name mangling: ConfuserEx has rewritten every class, method, field, and property into qm…, qG…, etc. identifiers (#=q…== format), producing ~1,039 mangled tokens in the binary. Defeating decompilation of logic without automatic renaming. ^[strings.txt:278]
  • Resource encryption: .rsrc (90 KB section, entropy 7.998) starts with a valid IMAGE_RESOURCE_DIRECTORY but contains an embedded PK\x03\x04 ZIP archive at offset 0x92AD within the section. This is very likely the ConfuserEx-encrypted resource / payload package that gets decrypted at runtime. ^[custom:entropy analysis] ^[custom:PK offset search]
  • No native packing: Not UPX, not custom native packer. ConfuserEx operates entirely inside the .NET layer.

Persistence & Installation (inferred)

The binary references standard NanoCore installation behaviors:

  • get_StartupPath and set_CurrentDirectory for self-copying into %AppData% or %TEMP%. ^[strings.txt]
  • Registry manipulation via RegistryKey, RegOpenKeyEx, RegQueryValueEx, RegCloseKey for Run-key persistence. ^[capa.txt:15,98]
  • File-system operations: create directory, copy file, delete file, write file — consistent with staging a copy under a randomized name. ^[capa.txt:73-84]

Network / C2 (inferred)

No hardcoded IP, domain, or URL survived string extraction. Network behavior is inferred from:

  • System.Net.Sockets.Socket, ConnectAsync, SendToServer, get_Connected, get_Port — NanoCore speaks over raw TCP sockets, not HTTP. ^[strings.txt:170-181] ^[strings.txt:1648]
  • DnsRecord, AddHostEntry, RebuildHostCache, GetHostEntry — C2 host list is maintained internally and can be updated by the server. ^[strings.txt:1178-1180]
  • KeepAlive present in strings, suggesting persistent TCP keepalive framing. ^[strings.txt:1262]
  • Builder pattern: NanoCore's builder generates a custom ClientSettings blob stored inside the resource stream. This sample likely carries its settings in the encrypted ZIP within .rsrc; static extraction without decryption yields nothing.

Plugin Architecture

NanoCore is plugin-driven. Static evidence includes:

  • ClientPlugin, NanoCore.ClientPlugin, NanoCore.ClientPluginHost namespaces. ^[strings.txt:61] ^[strings.txt:91-94]
  • CommandType, BaseCommand, FileCommand, PluginCommand — task dispatch enum. ^[strings.txt:1154] ^[strings.txt:1157-1159]
  • IClientApp, IClientData, IClientNetwork, IClientUIHost, etc. — interface contracts for modular components. ^[strings.txt:86-97]
  • Pipe-based IPC: CreatePipe, PipeExists, PipeCreated, PipeClosed, ClosePipe — the client ↔ plugin bridge uses named/anonymous pipes. ^[strings.txt:1213-1219]

Decompiled Behavior

Radare2 (CIL engine) identifies 858 methods, with the entry point landing in:

  • method.ClientLoaderForm.Main (address 0x40c480) — WinForms bootstrap. ^[r2:method.ClientLoaderForm.Main]
  • method.Client..ctor — constructor chain for the Client singleton that wires IClientApp to the network layer. ^[r2:sym.Client..ctor]
  • method.LogClientException / method.LogClientMessage — centralized logging (likely sent back to C2). ^[r2:method.qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg.LogClientException]
  • method.qmLTtz8OEDrkzFTzYkI_Dg1dvKwiGw9blNcZSU_QqMsg.LogClientMessage — message-forwarding to server.

Control flow is dominated by ConfuserEx ControlFlow obfuscation: flattened blocks, exception-based branching, and delegate trampolines. Manual decompilation is impractical without tools like NoFusicator or de4dot replacement pipelines.

C2 Infrastructure

  • Static C2: None extracted. The builder-generated ClientSettings / BuilderSettings object is encrypted inside the .rsrc ZIP and decrypted at runtime. ^[strings.txt:1205-1206]
  • Protocol: Raw TCP sockets (not HTTPS/HTTP per standard NanoCore behavior). Keepalive framing inferred from KeepAlive, Socket, SendToServer, ReceiveAsync. ^[strings.txt:1262]
  • DNS: DnsRecord, GetHostEntry, AddHostEntry, RebuildHostCache show the client maintains a mutable host cache — typical for DGA fallback or server-driven redirection. ^[strings.txt:1178]

Interesting Tidbits

  1. VB.NET provenance: The MyTemplate auto-generated class and GUID b4de0bbe-4fc1-4999-bc15-86136959e331 prove the project was built with Visual Studio's VB.NET My Application Framework. Not C#. ^[strings.txt:1666] ^[strings.txt:1670]
  2. Two runtime versions: References v2.0.50727 (mscorlib) and 8.0.0.0 (Microsoft.VisualBasic). Suggests the assembly targets .NET 4.x (which hosts CLR 4 and can load 2.0 assemblies side-by-side). ^[strings.txt:51] ^[strings.txt:1667]
  3. NanoCore version stamp: 1.2.2.0 is an older build of NanoCore (the project leaked in 2014–2015). This timestamp (Feb 2015) sits squarely in the leaked-source era. ^[strings.txt:1676]
  4. No YARA family hit: Only PE_File_Generic triggered; standard open-source NanoCore YARA rules may need updating for ConfuserEx-obfuscated variants. ^[yara.txt]
  5. .rsrc ZIP: A PK\x03\x04 header appears deep inside the .rsrc section at offset 0x25EAD (rsrc+0x92AD). This could be the encrypted plugin package or config bundle. ^[custom:PK offset search]

How To Mess With It (Homelab Replication)

Goal: Reproduce a NanoCore-like .NET RAT with ConfuserEx obfuscation and see how static tools respond.

  1. Toolchain: Visual Studio Community + VB.NET/.NET Framework 4.8 Console / WinForms app.
  2. Build a stub: Create a Windows Forms app with a hidden startup form, System.Net.Sockets.TcpClient, and a TcpListener loop.
  3. Add builder pattern: Store C2 host/port in Properties.Resources as an encrypted JSON blob (e.g., AES-CBC with a hardcoded key).
  4. Obfuscate with ConfuserEx: Download the open-source ConfuserEx v1.6.0, apply:
    • Name obfuscation (rename everything to #=q…==)
    • Constant obfuscation (encrypt strings at compile time)
    • Control flow flattening
    • Resource encryption (zip + encrypt payload)
  5. Verification: Run capa <your_sample.exe> and strings | grep -i nano — should hit communication/socket/tcp, data-manipulation/hashing/md5, and host-interaction/file-system/create just like this sample.
  6. What you learn: ConfuserEx is mature, free, and trivial to apply. Every .NET malware analyst needs a de4dot/NoFuser pipeline ready.

Deployable Signatures

YARA — NanoCore ConfuserEx Variant

rule nanocore_confuserex_vbnet
{
    meta:
        description = "NanoCore RAT client obfuscated with ConfuserEx, VB.NET build"
        author      = "triage-auto"
        date        = "2026-06-02"
        sha256      = "fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5"
    strings:
        $nano1 = "NanoCore Client" ascii wide
        $nano2 = "NanoCore.ClientPlugin" ascii wide
        $nano3 = "IClientApp" ascii wide
        $nano4 = "IClientNetwork" ascii wide
        $nano5 = "ClientLoaderForm" ascii wide
        $nano6 = "SendToServer" ascii wide
        $nano7 = "AddHostEntry" ascii wide
        $nano8 = "PluginUninstalling" ascii wide
        $conf1 = /#=q[A-Za-z0-9_$]{20,}==/      // ConfuserEx mangled name
        $conf2 = /#=q[A-Za-z0-9_$]{20,}=.*=/    // ConfuserEx extended form
        $vb1   = "MyTemplate" ascii wide
        $vb2   = "My.MyProject.Forms" ascii wide
        $vb3   = "b4de0bbe-4fc1-4999-bc15-86136959e331" ascii wide
    condition:
        uint16(0) == 0x5A4D
        and pe.number_of_sections == 3
        and any of ($nano*)
        and any of ($conf*)
        and any of ($vb*)
        and filesize < 500KB
}

Note: Syntactically tested by eye; deploy to your YARA sandbox before production.

Sigma — NanoCore Process Launch Hunt

title: NanoCore RAT Client Loader Execution
description: Detects NanoCore VB.NET client process based on module/interface strings and pipe creation.
logsource:
    category: process_creation
    product: windows
detection:
    selection_strings:
        CommandLine|contains|all:
            - 'NanoCore'
            - 'ClientLoaderForm'
    selection_pipes:
        CommandLine|contains:
            - 'PipeCreated'
            - 'PipeExists'
            - 'CreatePipe'
    selection_vb:
        ImageLoaded|contains:
            - 'Microsoft.VisualBasic'
            - 'MyTemplate'
    selection_mscoree:
        CommandLine|endswith:
            - '.exe'
    condition: 1 of selection_strings or (selection_pipes and selection_vb)
falsepositives:
    - Unknown
level: high
tags:
    - attack.execution
    - attack.t1059
    - attack.command_and_control
    - attack.t1071

IOC List

Category Indicator Context
Hash fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5 SHA-256
Hash 9a17b6099c1eae8c76f7c6fee5a2d8d9 MD5
Hash 8bea0f1ea5d70aa083b682c828541a041fbc11cd SHA-1
Filename okfun.exe Original name
Registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Persistence inferred
File %TEMP%\\*.tmp, %APPDATA%\\* Staging inferred (GetTempFileName, create directory)
Pipe \\.\\pipe\\* IPC bridge (CreatePipe, PipeExists)
Network Raw TCP outbound (no static IP) C2 host resolved via DNS / builder config
Mutex Unknown — not extracted statically; likely runtime-generated

Behavioral Fingerprint

This binary is a .NET PE32 GUI assembly with a single mscoree.dll import. At startup it instantiates a hidden VB.NET WinForms client loader, initializes TCP socket objects, and maintains an internal C2 host cache. It creates file-system directories and copies itself, interacts with the registry for persistence, and uses anonymous/named pipes for internal plugin IPC. Network traffic is raw TCP with keepalive framing; no obfuscated HTTPS. The heavy ConfuserEx obfuscation (1,000+ mangled #=q… identifiers) blocks naive string extraction and decompilation.

Detection Signatures (capa → ATT&CK)

capa static analysis already mapped capabilities to ATT&CK: ^[capa.txt]

capa Capability ATT&CK Technique
modify registry T1112
reflective code loading T1620
account discovery T1087
file and directory discovery T1083
query registry T1012
system information discovery T1082
system owner/user discovery T1033
C2 communication (send/receive) T1071
DNS resolution T1071.004
create TCP socket T1071
MD5 hashing — (crypto utility)
generate random numbers — (utility)
copy file / create directory / delete file T1070
create process T1106
create mutex — (single instance)
enumerate registry T1012
get session integrity level T1033
suspend thread T1055

Dynamic execution would likely surface additional TTPs such as T1547.001 (Registry Run Keys), T1059.001 (PowerShell), and T1021 (Remote Services) depending on builder configuration.

References

  • SHA-256: fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5
  • Wiki entity: nanocore
  • Wiki technique: confuserex-obfuscation
  • OpenCTI labels: nanocore, rat, malware-bazaar ^[metadata.json]
  • Sample source: abuse.ch / MalwareBazaar (via OpenCTI urlhaus-recent-payloads connector)

Provenance

  • Report built from static artefacts generated by the triage pipeline on 2026-05-26.
  • Tools: file, strings, floss (failed — invalid args, no decoded strings), capa v5 (static, dotnet), binwalk, radare2 (CIL analysis, 858 functions), python3 (manual entropy + offset extraction), pefile.
  • No CAPE dynamic analysis: Windows guest unavailable at time of triage. All runtime/C2 claims are inferred from static imports, capa capability map, and known NanoCore builder behavior.