Dosya Kimligi
| SHA256 | 4eca71001daaabb1740b8f30978d43d778bfbc95f2bf336354094366f9487496 |
|---|---|
| Dosya Adi | pk68.io.exe (C2 domain adi dosyada) |
| Platform | .NET + ConfuserEx obfuske |
| Boyut | 207.872 byte |
| String Sayisi | 2.145 |
NanoCore Modulleri (Onaylandi)
NanoCore -- ana modul NanoCore Client -- istemci binary adi NanoCore Client.exe -- calistirilan binary NanoCore.ClientPlugin -- plugin sistemi NanoCore.ClientPluginHost -- plugin host IClientAppHost -- uygulama host arabirimi IClientDataHost -- veri host arabirimi System.Net.Sockets -- TCP ag katmani SocketAsyncEventArgs -- async C2 baglantisi
ConfuserEx Izi
#=qoKFLFqm7bb3VWsU2QKXIQ4_6anGbTCWiZAfrNlgq8fc= #=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY= -- ConfuserEx obfuske edilmis .NET sembol isimleri
NanoCore Hakkinda
NanoCore, 2013 yilinda Taylor Huddleston tarafindan C# ile gelistirilmis, plugin-tabanli bir RAT'tir. Uretici 2017'de FBI tarafindan tutuklanmistir. Kaynak kodu sizdirildiktan sonra underground piyasada ucuza satilmaktadir. TCP socket ile C2 baglantisi kurar; keylogger, ekran yakalama, dosya yonetimi, uzaktan shell, webcam, kriptominer plugin modulleri bulunmaktadir.
IOC
| SHA256 | 4eca71001daaabb1740b8f30978d43d778bfbc95f2bf336354094366f9487496 |
|---|---|
| Suspheli Domain | pk68.io (dosya adinda) |
| Obfuske | ConfuserEx |
NanoCore — Malware Profile
NanoCore RAT .NET. HP scanner lures. FqStwIZtCP PDB path recurring. Plugin: GetConfig/SetConfig/conjugatePair.
Technical Details
.NET, plugin tabanli (DLL eklentiler), AES-128 sifreleme, port TCP dinamik, Mutex rastgele GUID, GetAsyncKeyState keylogger, Clipboard monitor, Remote Shell (cmd.exe), Hidden VNC, Password Recovery
Capabilities & Behavior
IOC List (1 indicators)
# SHA256
4eca71001daaabb1740b8f30978d43d778bfbc95f2bf336354094366f9487496
| Type | Value | Note |
|---|---|---|
| sha256 | 4eca71001daaabb1740b8f30978d43d778bfbc95f2bf336354094366f9487496 |
C2 Servers (4 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| pk68.io | domain | 443 | HTTPS | active | — |
| 195.3.221.139 | ip | 4782 | TCP | inactive | RO |
| UNKNOWN_HOST | unknown | 8918 | TCP | inactive | — |
| 37.140.192.146 | ip | 7707 | TCP | sinkholed | UA |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.