General

  • Target

    http://portsmouth-american-dependence-arrow.trycloudflare.com/

  • Sample

    240710-tpye7sxcnp

Malware Config

Extracted

Family

xworm

Version

3.1

C2

welxwrm.duckdns.org:8292

Mutex

qeXNZgD5N2hUEfW4

Attributes
  • install_file

    USB.exe

aes.plain
1
tRDPwF/KrCFQHNtwxCnU1A==

Extracted

Family

xworm

Version

5.0

C2

rvxwrm5.duckdns.org:9390

xrw9402july.duckdns.org:9402

Mutex

WU58NbjHis4MqTHI

Attributes
  • install_file

    USB.exe

aes.plain
1
NJuell0kQs5fcaRgGsW+wg==
aes.plain
1
j6mwEOoWcJoA/r6d06AOGA==

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ujhn.duckdns.org:8520

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
dPw8e3rVhGla8ngCgNg8mnYlEUPfYa38

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

todfg.duckdns.org:6745

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    updateee.exe

  • install_folder

    %AppData%

aes.plain
1
rLdf0gFsTuxpT8O2lDQUiDvDDYLO5qUg

Extracted

Family

asyncrat

Botnet

Default

C2

anachyyyyy.duckdns.org:7878

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
HDicWZ3EZAtA40nvdYxpOKujJp27zboz

Targets

    • Target

      http://portsmouth-american-dependence-arrow.trycloudflare.com/

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect Xworm Payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Async RAT payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.