Overview

overview

10

Static

static

1

URLScan

urlscan

https://mega.nz/file...

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://mega.nz/file/J98DmR4Y#-AXNW4jJGO3j159eFqUxw-gjzu62PuXYSEqZTQ8i-fI

  • Sample

    250328-rk5mlsypt8

Score
10/10
asyncratgurcustormkittyxwormdefaultcollectiondiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

193.161.193.99:36206

Mutex

onxityialltnltam

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Defender.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

dsasinject-58214.portmap.io:3389

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • telegram

    https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

https://api.telegram.org/bot7220954819:AAGO1h21167g4D4DszTlk_YE672RrxCPF98/sendDocument?chat_id=-1002336597792&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2003/28/2025%202:18%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20Admin%0A%F0%9F%86%94%20PC%20=%3E%20QQDZFYSF%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20Kingdom]%0A%F0%9F%94%8D%20IP%20=%3E%20212.102.63.147%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%94%93%20Antivirus%20=%3E%20Not%20installed%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2013%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%201%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%2

https://api.telegram.org/bot7220954819:AAGO1h21167g4D4DszTlk_YE672RrxCPF98/sendDocument?chat_id=-1002336597792&caption=====%20RL%20STEALER%20====%20%0A%E2%8F%B0%20Date%20=%3E%2003/28/2025%202:19%0A%F0%9F%92%BBSystem%20=%3E%20Windows%2010%20Pro%20(64%20Bit)%0A%F0%9F%91%A4%20User%20=%3E%20Admin%0A%F0%9F%86%94%20PC%20=%3E%20QQDZFYSF%0A%F0%9F%8F%B4%20Country%20=%3E%20[United%20Kingdom]%0A%F0%9F%94%8D%20IP%20=%3E%20212.102.63.147%0A%F0%9F%93%9D%20Language%20=%3E%20%F0%9F%87%BA%F0%9F%87%B8%20en-US%0A%F0%9F%94%93%20Antivirus%20=%3E%20Not%20installed%0A%20====%7B%20User%20Data%20%7D====%0A%F0%9F%93%82%20FileGrabber%20=%3E%2013%0A%F0%9F%93%A6%20Telegram%20=%3E%20%E2%9D%8C%0A%F0%9F%92%B8%20Wallets%20=%3E%20%E2%9D%8C%0A%F0%9F%92%AC%20Discord%20=%3E%20%E2%9D%8C%0A%F0%9F%93%A1%20FileZilla:%20%E2%9D%8C%0A%20VimeWorld%20=%3E%20%E2%9D%8C%0A%20====%7B%20VPN%20%7D====%0A%20%E2%88%9F%20NordVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20OpenVPN%20=%3E%20%E2%9D%8C%0A%20%E2%88%9F%20ProtonVPN%20=%3E%20%E2%9D%8C%0A%20====%7B%20Browsers%20Data%20%7D====%0A%F0%9F%97%9D%20Passwords%20=%3E%200%0A%F0%9F%95%91%20History%20=%3E%201%0A%F0%9F%8D%AA%20Cookies%20=%3E%200%0A%F0%9F%93%9D%20AutoFills%20=%3E%200%0A%F0%9F%92%B3%20CC%20=%3E%200%0A%20====%7B%20Gaming%20%7D====%0A%20%F0%9F%8E%AE%20Steam%20=%3E%20%E2%9D%8C%0A%20==================%0A%20DOMAINS%20DETECTED:%0A%20-%2

Targets

    • Target

      https://mega.nz/file/J98DmR4Y#-AXNW4jJGO3j159eFqUxw-gjzu62PuXYSEqZTQ8i-fI

    Score
    10/10
    asyncratgurcustormkittyxwormdefaultcollectiondiscoveryexecutionratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Async RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks