typeentityconfidencehighcreated2026-06-02updated2026-06-02malware-familyratdotnetc2persistenceobfuscation

NanoCore

Overview

NanoCore is a commodity .NET-based remote-access trojan (RAT) whose builder leaked around 2014–2015. It remains actively distributed via spam, cracked software bundles, and phishing lures. The client is highly configurable through a point-and-click builder that generates a small (~150–300 KB) obfuscated EXE targeting .NET Framework 2.0–4.x.

Build-Stack Typically Observed

Language: C# or VB.NET (Visual Studio / SharpDevelop).
Framework: .NET Framework 2.0 (CLR v2.0.50727) or .NET 4.x.
Builder: NanoCore Builder (version stamps like 1.2.2.0 seen in leaked-era builds).
Obfuscator: Frequently confuserex-obfuscation — mass name mangling (#=q…==), resource encryption, control-flow flattening. Also observed with Eazfuscator, Dotfuscator, and SmartAssembly.
Package: Single PE32 with 3 sections (.text, .reloc, .rsrc). .rsrc often contains an encrypted ZIP or manifest payload.
Signing: Usually unsigned; Authenticode stripped. ^[sample fe81691f/pefile.txt]

Deploy / TTPs Typically Observed

Persistence: Registry Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) or copied to %AppData% / %TEMP%. ^[sample fe81691f/capa.txt:95-99]
C2 Protocol: Raw TCP sockets (not HTTP/HTTPS). Builder-configured host/port list; client caches entries and supports server-driven host updates via AddHostEntry / RebuildHostCache. Keepalive framing. ^[sample fe81691f/capa.txt:62-66]
Plugin Architecture: Modular design — IClientApp, IClientNetwork, IClientUIHost, etc. Plugins loaded reflectively from encrypted resource packages. IPC via named/anonymous pipes. ^[sample fe81691f/strings.txt:86-97]
File System: Creates directories, copies itself, deletes files, writes temp files. ^[sample fe81691f/capa.txt:73-84]
Discovery: System information, user name, OS version, hostname, file/directory enumeration, registry queries. ^[sample fe81691f/capa.txt:15-22]
Defense Evasion: Heavily obfuscated with ConfuserEx; reflective code loading of plugins; minimal static IAT (only mscoree.dll._CorExeMain). ^[sample fe81691f/pefile.txt:199]
MD5 Hashing: Observed in network packet integrity / config checks. ^[sample fe81691f/capa.txt:66]

Variants / Aliases

NanoCore RAT — the umbrella label.
NanoCore Client — the builder-generated payload EXE.
NanoCore Plugin — individual modules (file manager, remote desktop, keylogger, etc.) delivered as encrypted plugin packages.
Builder versions: 1.1.x, 1.2.x (leaked era), plus later forks sold in underground markets.

Notable Analyses

fe81691f — VB.NET ConfuserEx obfuscated client v1.2.2.0, raw static deep-dive. ^[/intel/analyses/fe81691f199873bd5470c7beff9a52fdd6c1e03b80484e40b15ce040cde851b5.html]

Capabilities

registry-run-persistence
dotnet-reflective-assembly-loading
raw-tcp-c2-keepalive
host-cache-dynamic-update
pipe-based-plugin-ipc
confuserex-name-obfuscation
resource-zip-encryption
file-system-copy-delete
registry-query-enumeration
system-information-discovery
md5-hash-data-check

Related Entities / Techniques

confuserex-obfuscation — primary obfuscator observed.
dotnet-manifest-resource-decryption — related .NET payload hiding pattern.
smartassembly-obfuscation — alternative commercial .NET obfuscator seen with other families.

> Family · NanoCore_