General

  • Target

    https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

  • Sample

    240914-j95pxavbln

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Extracted

Family

asyncrat

Version

1.0.7

Botnet

RuntimeBroker

C2

37.18.62.18:8060

Mutex

RuntimeBroker.exe

Attributes
  • delay

    1

  • install

    false

  • install_file

    RuntimeBroker.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

159.146.103.132:5554

Mutex

mtx

Attributes
  • delay

    1

  • install

    true

  • install_file

    winfile.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Targets

    • Target

      https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Gurcu, WhiteSnake

      Gurcu is a malware stealer written in C#.

    • ToxicEye

      ToxicEye is a trojan written in C#.

    • Async RAT payload

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks