Backdoor:MSIL/Nanocore!atmn

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Backdoor:MSIL/Nanocore!atmn

Backdoor:MSIL/Nanocore!atmn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Backdoor:MSIL/Nanocore!atmn

Classification:

Type:Backdoor

Platform:MSIL

Family:Nanocore

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!atmn

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family Nanocore

Summary:

This threat is a concrete detection of the Nanocore Remote Access Trojan (RAT), a backdoor that provides attackers with complete remote control over the compromised system. As a .NET-based RAT, it uses a plugin architecture to steal data, execute commands, and manage files. Evidence suggests it may be delivered via a self-extracting archive.

Severity:

Critical

VDM Static Detection:

Relevant strings associated with this threat:
 - ReZer0.Properties (PEHSTR)
 - System.CodeDom.Compiler (PEHSTR)
 - set_UseShellExecute (PEHSTR)
 - ReZer0V2.exe (PEHSTR)
 - set_UseShellExecute (PEHSTR_EXT)
 - NanoCore Client.exe (PEHSTR_EXT)
 - ClientLoaderForm.resources (PEHSTR_EXT)
 - NanoCore.ClientPlugin (PEHSTR_EXT)
 - 6A84./7BK8 (PEHSTR)
 - winrarsfxmappingfile.tmp (PEHSTR_EXT)
 - .docx (PEHSTR_EXT)
 - Extracting files to C:\ folder (PEHSTR_EXT)
 - Path=%temp%\ (PEHSTR_EXT)
 - NanoCore.ClientPluginHost (PEHSTR_EXT)
 - BaseCommand (PEHSTR_EXT)
 - FileCommand (PEHSTR_EXT)
 - PluginCommand (PEHSTR_EXT)
 - .pif (PEHSTR_EXT)
 - NanoCore.ClientPlugin (PEHSTR)
 - NanoCore.ClientPluginHost (PEHSTR)
 - C:\Users\Administrator\Desktop\Client\Temp\ (PEHSTR_EXT)
 - \CSPARMPricingCalOps\obj\Debug\ (PEHSTR_EXT)
 - 0.4.7.2 (PEHSTR_EXT)
 - .vbs (PEHSTR_EXT)
 - NanoCore (PEHSTR_EXT)
 - CinemaManagement.Properties.Resources.resources (PEHSTR_EXT)
 - MyClientPlugin.dll (PEHSTR_EXT)
 - \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb (PEHSTR_EXT)
 - ConfuserEx v1.0.0-38-g7889971 (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - get_Computer (PEHSTR_EXT)
 - get_ExecutablePath (PEHSTR_EXT)
 - */*G*/*e*/*t*/*M*/*e*/*t*/*h*/*o*/*d (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - /tac.fmop.a//:sptth (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - OleDbCommand (PEHSTR_EXT)
 - p0.jO (PEHSTR_EXT)
 - b6ca9a8445.res (PEHSTR_EXT)
 - 17fac4fc2e19.Resources.resources (PEHSTR_EXT)
 - e6D0.Resources.resources (PEHSTR_EXT)
 - 849ccca2dbaa.Resources.resources (PEHSTR_EXT)
 - 6240b06f90.res (PEHSTR_EXT)
 - Advanced_Html_Editor.Resources.resources (PEHSTR_EXT)
 - CheatMenu.Properties.Resources.resources (PEHSTR_EXT)
 - Select * from Win32_ComputerSystem (PEHSTR_EXT)
 - SCHTASKS.exe /RUN /TN " (PEHSTR_EXT)
 - --Qdj$;a:9pDsb@ =} k|u9g\&. (PEHSTR_EXT)
 - qtjiZSSiWlGAf3SavB.FJr54K84g6drqE3j0u (PEHSTR_EXT)
 - zUKC.exe (PEHSTR_EXT)
 - VolvoS60.PDOControls.resources (PEHSTR_EXT)
 - SpringPendulum.SpringPendulum.resources (PEHSTR_EXT)
 - HelloWPFApp.Properties.Resources.resources (PEHSTR_EXT)
 - HelloWPFApp.Properties (PEHSTR_EXT)
 - AlgorithmSimulator.Properties.Resources.resources (PEHSTR_EXT)
 - QuanLyBangDiaCD.Properties (PEHSTR_EXT)
 - fsdgsrxd.Resources.resources (PEHSTR_EXT)
 - Cmuvk.Properties.Resources (PEHSTR_EXT)
 - Questions.Properties.Resources.resources (PEHSTR_EXT)
 - MPR.dll (PEHSTR)
 - sZIp.exe (PEHSTR_EXT)
 - MeshPods.exe (PEHSTR)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: airvpn.exe

9d896e56913f4f9acf566032bd3b725d65a4bed226221fd8ccc64e158d263266

11/12/2025

→VirusTotal ↓Download Sample

Filename: ThisIsTheBest.exe

796f9ee88b9456ca2908fc99fffac955cd0695cda65749c95c8020f59b135c4b

22/11/2025

→VirusTotal ↓Download Sample

Remediation Steps:

Immediately isolate the affected machine from the network to prevent lateral movement. Perform a full antivirus scan to remove all detected components. Due to the nature of this backdoor, consider the machine fully compromised; reset all user credentials associated with the device and re-image the system from a known-good source to ensure complete threat removal.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 22/11/2025. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Backdoor:MSIL/Nanocore!atmn - Windows Defender Threat Analysis