General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
xworm
Version
3.1
C2
welxwrm.duckdns.org:8292
Mutex
qeXNZgD5N2hUEfW4
Attributes
-
install_file
USB.exe
aes.plain
1
tRDPwF/KrCFQHNtwxCnU1A==
Extracted
Family
xworm
Version
5.0
C2
rvxwrm5.duckdns.org:9390
xrw9402july.duckdns.org:9402
Mutex
WU58NbjHis4MqTHI
Attributes
-
install_file
USB.exe
aes.plain
1
NJuell0kQs5fcaRgGsW+wg==
aes.plain
1
j6mwEOoWcJoA/r6d06AOGA==
Extracted
Family
asyncrat
Version
5.0.5
Botnet
Venom Clients
C2
ujhn.duckdns.org:8520
Mutex
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
1
dPw8e3rVhGla8ngCgNg8mnYlEUPfYa38
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
todfg.duckdns.org:6745
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_file
updateee.exe
-
install_folder
%AppData%
aes.plain
1
rLdf0gFsTuxpT8O2lDQUiDvDDYLO5qUg
Extracted
Family
asyncrat
Botnet
Default
C2
anachyyyyy.duckdns.org:7878
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
1
HDicWZ3EZAtA40nvdYxpOKujJp27zboz
Targets
-
-
Target
http://portsmouth-american-dependence-arrow.trycloudflare.com/
-
Detect Xworm Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Async RAT payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-