General
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
Family
toxiceye
C2
https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777
Extracted
Family
asyncrat
Version
1.0.7
Botnet
RuntimeBroker
C2
37.18.62.18:8060
Mutex
RuntimeBroker.exe
Attributes
-
delay
1
-
install
false
-
install_file
RuntimeBroker.exe
-
install_folder
%AppData%
aes.plain
Extracted
Family
asyncrat
Version
1.0.7
Botnet
Default
C2
159.146.103.132:5554
Mutex
mtx
Attributes
-
delay
1
-
install
true
-
install_file
winfile.exe
-
install_folder
%Temp%
aes.plain
Extracted
Family
gurcu
C2
https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777
Targets
-
-
Target
https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-
-
Async RAT payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Legitimate hosting services abused for malware hosting/C2
-
Enumerates processes with tasklist
-