# Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure **[blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html](https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html)** By [Chetan Raghuprasad and](https://twitter.com/CRaghuprasad) [Vanja Svajcer.](https://twitter.com/vanjasvajcer) Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting user's information. According to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across the United States, Italy and Singapore. The actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation process results with the decryption methods for the subsequent stages to finally arrive at the actual malicious downloader method. The campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and Amazon Web Services and are actively misusing them to achieve their malicious objectives. The actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts. ## Executive Summary Threat actors are increasingly using cloud technologies to achieve their objectives without having to resort to hosting their own infrastructure. These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more difficult for defenders to track down the attackers' operations. ----- The threat actor in this case used cloud services to deploy and deliver variants of commodity RATs with the information stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools (RATs) are packed with multiple features to take control over the victim's environment to execute arbitrary commands remotely and steal the victim's information. The initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When the initial script is executed on the victim's machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance. To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore and AsyncRAT remote access trojans. Organizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The campaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious infrastructure. _Infection summary diagram._ ## The Payload [The observed campaigns are using variants of Nanocore,](https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html%23more) [Netwire and](https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html) [AsyncRAT as](https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html) payloads These are commodity RATs that were widely used in other campaigns ----- **NanocoreRAT** Nanocore is a 32-bit .NET portable executable first seen in the wild in 2013. After 2017, there are leaked versions of Nanocore that are widely used by the threat actors in their campaigns. Extracting the configuration information from the Nanocore clients samples associated with this campaign showed us they are using version 1.2.2.0, which is a leaked version with an Oct. 26, 2021 build date. The C2 server used is mback5338[.]duckdns[.]org, listening on the TCP port 7632. The build date correlates with the possible start of the campaign. _Nanocore variant config file._ We have also observed other C2 domains and different port numbers used by different samples of Nanocore client associated with these campaigns: nanoboss[.]duckdns[.]org justinalwhitedd554[.]duckdns[.]org The plugins included with the payload are the Client and SurveillanceEx plugins. The client plugin is used by the RAT to handle the communications with the C2 server and SurveillanceEX plugin provides video and audio capture and the remote desktop capability. **NetwireRAT** ----- NetwireRAT is a known threat used by the threat actors to steal victim s passwords, login credentials and credit card data. It has the capability to remotely execute the commands and collects filesystem information. This trojan establishes persistance by writing the registry keys: HKEY_CURRENT_USER\Software\NETwIRe\HostId HKEY_CURRENT_USER\Software\NETwIRe\Install Date HKEY_CURRENT_USER\SOfttware\Microsoft\WIndows\CurrentVersion\Run\SysWOW32 with its value as the path to the trojan. **AsyncRAT** AsyncRAT is a remote access tool meant to remotely monitor and control computers through secure encrypted connection. Threat actors in this campaign use the AsyncRAT client by setting its configuration to connect to the C2 server and provide the attacker with remote access to the victim's machine. Using some of its features such as keylogger, screen recorder, system configuration manager, the attacker can steal confidential data from the victim's machine. AsyncRAT creates the mutex "AsyncMutex_6SI8OkPnk" as the infection marker in the victim's machine. _AsyncRAT variant mutex function._ The AsyncRAT config file is decrypted and contains the configuration information such as C2 domain. In this instance, the C2 domain is asyncmoney[.]duckdns[.]org using the TCP port 7829. We have observed that this variant of AsyncRAT communicates with the C2 domain via TCP ports 7840, 7841 and 7842. ----- _AsyncRAT variant C2 connection parameters._ ## Infection chain The infection chain starts with an email that contains malicious ZIP documents. The ZIP file attachment is an ISO image file containing the loader in JavaScript, Visual Basic script or a Windows batch file format. The actor has attempted to entice recipients by purporting that the attachment is a fake invoice document. ----- _Phishing email example._ The initial few characters of the ZIP file names are randomly generated and could be specific to the campaign. Some of the observed ZIP file names are: WROOT_Invoice_Copy.zip YUEOP_Invoice_Copy.zip HOO8M_Invoice_Copy.zip TROOS_Invoice_Copy.zip TBROO1_Invoice_Copy.zip **JavaScript Downloader** The downloader JavaScript is an obfuscated script that has four layers of obfuscation. The deobfuscation process is performed at each stage with every next stage generated as the result of the previous stage deobfuscation function. Layer 1 deobfuscation The first level of decryption is performed by the function 'ejv()', which iterates over each character of the obfuscated data into an array and performs a number of arithmetic operations to decrypt the character and returns the deobfuscated result. ----- _First level decryption function._ The function 'ejv()' generates the second-stage decryption routine. ----- _Second level decryption function._ Layer 2 deobfuscation The remaining part of the encrypted contents of the JavaScript downloader are decrypted in two sub-phases in Layer 2 deobfuscation process. First, it is decrypted by the decryption function 'ejv()' and then the result is passed to the second-level decryption function. ----- The result of the deobfuscation process contains another decryption function Ox$(), which is the third layer decryption function. _Third-level decryption function._ Layer 3 deobfuscation The encrypted strings of the Layer 2 deobfuscation process are decrypted by the function 'Ox$()'. The decrypted result of the Layer 3 deobfuscation process is another obfuscated function which has multiple function calls returning values and a series of eval() functions calling the third-level decryption function 'Ox$()' to decrypt the malicious downloader code. ----- _Obfuscated malicious downloader code._ While analysing another sample of the JavaScript downloader of this campaign, we observed a slightly different result from the Phase 3 deobfuscation process. It is likely that the code is automatically generated and randomized to make the detection process more difficult. _Obfuscated malicious downloader code._ Layer 4 deobfuscation ----- The final stage of the deobfuscation of malicious downloader code is performed in Layer 4, with the help of a third-level decryption function and some of its self decryption logic within the code. We observed that the Layer 4 decrypted code is not just a downloader — it also performs other activities such as: Configures the Logon Auto Start registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" to establish persistence. Configures scheduled task jobs by invoking the schtasks.exe process. Downloads the payload from the download server with the URL http://gg1592661[.]duckdns[.]org:7924/vre. The payloads downloaded by the observed campaigns are the variants of Netwire, Nanocore and AsyncRAT remote access trojans, saved and executed from the user's temporary folder of the victim's machine. The script attempts to interact with the Alternate Data Stream to hide the information about its source as downloaded from the internet. Collects information from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId to fingerprint the victim's machine. Aside from the JavaScript loader trojan, we have observed a Batch file downloader trojan and a VBScript downloader trojan in our Cisco Secure Endpoint telemetry. **Batch file downloader** The batch script contains an obfuscated command that runs PowerShell to download and run a payload from a download server, in this instance, 13[.]78[.]209[.]105 on Azure Cloud. _Batch script downloader trojan._ **VBScript downloader** Obfuscated VB downloaders execute a PowerShell command which runs and connects to the download server, for example, to 52[.]27[.]15[.]250, running on AWS EC2. ----- _VBScript trojan downloader._ **PowerShell dropper** Our investigation of download servers in Azure uncovered a PowerShell dropper script which appears to be built with HCrypt builder. The script drops and runs a variant of AsyncRAT trojan in the victim machine. TrendMicro researchers had identified similar [PowersSell droppers in another campaign they named "Water Basilisk."](https://www.trendmicro.com/en_no/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html) _PowerShell dropper._ The deobfuscated binary is constructed using the String replace function to replace all occurrences of a delimiter character with the digit 0. This string containing the payload, together with a string containing an injector .NET assembly DLL module, is passed to the function H2, which converts it into a binary byte array. From there on, the generated byte array is loaded as an assembly module and used to inject the payload. _Deobfuscated injector._ ----- _Deobfuscated PowerShell loader command._ The script attempts to launch a process aspnet_compiler.exe on the victim machine, inject the AsyncRAT payload and invoke a thread to run the payload. In this instance, the C2 server for the payload is yuri101[.]duckdns[.]org, hosted on the IP address 64[.]188[.]16[.]134. _PowerShell dropper infection flow._ ## Actor's Infrastructure The actor in this campaign maintains a distributed infrastructure consisting of download servers, command and control servers, and malicious subdomains. The downloading servers are hosted on Microsoft Azure and AWS cloud services. We have discovered Windows instances on Azure Cloud at the IP addresses shown below: 13[.]78[.]209[.]105 in the WestCentralUS cloud region with FQDN name "GOOGLE". 23[.]102[.]1[.]5 in the NorthEurope cloud region and enabled with SMB authentication. 40[.]85[.]140[.]7 in the NorthEurope cloud region. 52[.]150[.]26[.]35 in the EastUS cloud region with FQDN "spinxamp". 13[.]82[.]65[.]56 in the East US cloud region. 137[.]135[.]65[.]29 in the East US region with FQDN "sj-2nd" and enabled with SMB authentication. ----- Another server we discovered is hosted on AWS cloud at the IP address 52[.]27[.]15[.]250 and the FQDN is ec2-52-27-15-250.us-west-2.compute.amazonaws.com. We are not sure about the operating system of this instance. Some of the download servers are running the Apache web server application. The HTTP servers are configured to allow the listing of open directories that contain variants of NanocoreRATs, Netwire RAT and AsyncRATs malware. _Open directory of malware repositories in a download server._ Each RAT instance connects to a C2 server according to its configuration. The C2 servers are Windows-based servers mostly compromised by the actor at the IP address 103[.]151[.]123[.]194,185[.]249[.]196[.]175 and 64[.]188[.]16[.]134. For the RATs' C2 domains, the actor is using the dynamic DNS service subdomains asyncmoney[.]duckdns[.]org, nwire733[.]duckdns[.]org, mback5338[.]duckdns[.]org and yuri101[.]duckdns[.]org. ## Malicious domains DuckDNS is a free dynamic DNS service providing a public DNS server service allowing the user to create subdomains and maintain the records using the DuckDNS scripts. The actor has created malicious DuckDNS subdomains to deliver malware in this campaign. Some of the actor-controlled malicious subdomains resolve to the download server on Azure Cloud while others resolve to the servers operated as C2 for the remote access trojan payloads. gg1592661[.]duckdns[.]org btime1624[.]duckdns[.]org justinalwhitedd554[.]duckdns[.]org wz303811[.]duckdns[.]org js1994[.]duckdns[.]org backu4734[.]duckdns[.]org www[.]backu4734[.]duckdns[.]org mback5338[.]duckdns[.]org nwire733[.]duckdns[.]org ----- asyncmoney[.]duckdns[.]org nanoboss[.]duckdns[.]org asyncspread[.]duckdns[.]org tdeasy[.]duckdns[.]org dingspread[.]duckdns[.]org asyncpcc[.]duckdns[.]org jw9428875.duckdns[.]org meunknown.duckdns[.]org yuri101.duckdns[.]org Cisco Umbrella classified these domains as malicious on Oct. 26. The volume of DNS requests observed in Cisco Umbrella for most of the subdomains associated with this campaign shares the same pattern as shown in the graph, which demonstrates that the campaigns started in October 2021. _DNS requests for gg1592661[.]duckdns[.]org._ ## Victimology According to the DNS request distribution to the malicious subdomains of this campaign, we are observing requests primarily from the United States, Canada, Italy and Singapore. We are also seeing a few requests from Spain and South Korea. ----- ## Conclusion In this post we have described campaigns demonstrating that threat actors are actively using cloud services in their malicious campaigns. The initial infection vector is primarily a phishing email with a malicious Zip file attachment.Despite being one of the oldest infection vectors, email is still an important infection path which needs to be protected. The ZIP file contains an ISO image file containing a malicious obfuscated downloader. The payloads of these campaigns are instances of Nanocore, Netwire and AsyncRAT remote access trojans. The RAT payloads are using DuckDNS.org dynamic DNS servers so they can regularly change the IP addresses of C2 servers and quickly add new subdomains. We also discovered an obfuscated PowerShell dropper script built by HCrypt builder associated with the download servers of this campaign. Organizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard their assets. Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints. It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible. ## Coverage ----- Ways our customers can detect and block this threat are listed below. [Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the](https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html) [execution of the malware detailed in this post. Try Secure Endpoint for free here.](https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/free-trial.html?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Damp-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Damp-free-trial) [Cisco Secure Web Appliance web scanning prevents access to malicious websites and](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) detects malware used in these attacks. [Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by](https://www.cisco.com/c/en/us/products/security/email-security/index.html) threat actors as part of their campaign. You can try Secure Email for free [here.](https://www.cisco.com/c/en/us/products/security/cloud-mailbox-defense?utm_medium%3Dweb-referral%26utm_source%3Dcisco%26utm_campaign%3Dcmd-free-trial-request%26utm_term%3Dpgm-talos-trial) [Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW)](https://www.cisco.com/c/en/us/products/security/firewalls/index.html) [appliances such as Threat Defense Virtual,](https://www.cisco.com/c/en/us/products/collateral/security/firepower-ngfw-virtual/datasheet-c78-742858.html) [Adaptive Security Appliance and](https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html) [Meraki MX](https://meraki.cisco.com/products/appliances) can detect malicious activity associated with this threat. ----- [Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds](https://www.cisco.com/c/en/us/products/security/threat-grid/index.html) protection into all Cisco Secure products. [Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to](https://umbrella.cisco.com/) malicious domains, IPs and URLs, whether users are on or off the corporate network. [Sign up for a free trial of Umbrella here.](https://signup.umbrella.com/?utm_medium%3Dweb-referral?utm_source%3Dcisco%26utm_campaign%3Dumbrella-free-trial%26utm_term%3Dpgm-talos-trial%26utm_content%3Dautomated-free-trial) [Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks](https://www.cisco.com/c/en/us/products/security/web-security-appliance/index.html) potentially dangerous sites and tests suspicious sites before users access them. Additional protections with context to your specific environment and threat data are [available from the Firewall Management Center.](https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html) [Cisco Duo provides multi-factor authentication for users to ensure only those authorized](https://signup.duo.com/?utm_source%3Dtalos%26utm_medium%3Dreferral%26utm_campaign%3Dduo-free-trial) are accessing your network. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading [the latest rule pack available for purchase on Snort.org.The following Snort SIDs have](https://www.snort.org/products) been released to detect this threat: 58758-58773. [Cisco Secure Endpoint users can use Orbital Advanced Search to run complex](https://orbital.amp.cisco.com/help/) OSqueries to see if their endpoints are infected with this specific threat. For specific [OSqueries on this threat, click here.](https://github.com/Cisco-Talos/osquery_queries/commit/b2aa7f509390c7bca4394ec58eb2cd5f4100162b) The following ClamAV signatures have been released to detect this threat: Ps1.Dropper.HCrypt-9913873-0 Txt.Trojan.BatchDownloader-9913886-0 Win.Trojan.AsyncRAT-9914220-0 Txt.Downloader.Agent-9914217-0 Js.Trojan.Agent-9914218-0 Js.Downloader.Agent-9914219-0 Win.Packed.Samas-7998113-0 Win.Trojan.NanoCore-9852758-0 Win.Dropper.NetWire-8025706-0 Win.Malware.Generickdz-9865912-0 Win.Dropper.Joiner-6 ## IOCs **IP Address** ----- 13[.]78[.]209[.]105 13[.]82[.]65[.]56 103[.]151[.]123[.]194 194[.]156[.]90[.]26 52[.]27[.]15[.]250 23[.]102[.]1[.]5 137[.]135[.]65[.]29 40[.]85[.]140[.]7 52[.]150[.]26[.]35 **Domains** gg1592661[.]duckdns[.]org btime1624[.]duckdns[.]org justinalwhitedd554[.]duckdns[.]org wz303811[.]duckdns[.]org js1994[.]duckdns[.]org backu4734[.]duckdns[.]org www[.]backu4734[.]duckdns[.]org mback5338[.]duckdns[.]org nwire733[.]duckdns[.]org asyncmoney[.]duckdns[.]org nanoboss[.]duckdns[.]org tdeasy[.]duckdns[.]org dingspread[.]duckdns[.]org asyncspread[.]duckdns[.]org jw9428875[.]duckdns[.]org meunknown[.]duckdns[.]org asyncpcc[.]duckdns[.]org yuri101[.]duckdns[.]org **URLs** hxxp://13.78.209[.]105/ hxxp://13.78.209[.]105/b/ hxxp://13.78.209[.]105/b/7632JUST.exe hxxp://13.78.209[.]105/b/7632just.exe/ hxxp://13.78.209[.]105/b/8903mback.exe hxxp://13.78.209[.]105/B/8903MBACK.exe hxxp://13.78.209[.]105/B/AsyncClient7842.exe hxxp://13.78.209[.]105/B/Host.exe hxxp://13.78.209[.]105/D/Servers/ hxxp://13.78.209[.]105/D/Servers/7632JUST.js hxxp://13.78.209[.]105/d/servers/8093mm.exe ----- hxxp://13.78.209[.]105/D/Servers/AsyncClient.exe hxxp://13.78.209[.]105/d/servers/hostkfkk.exe hxxp://13.78.209[.]105/D/Servers/Netwire_prevent.exe hxxp://13.78.209[.]105/d/servers/netwire_prevent.exe hxxp://13.78.209[.]105/E hxxp://13.78.209[.]105/E/AsyncClient6121.exe hxxp://13.78.209[.]105/E/ClientDC.exe hxxp://13.78.209[.]105/E/Er.txt hxxp://13.78.209[.]105/E/nano6129.exe hxxp://13.78.209[.]105/E/New%20folder/7632.exe hxxp://13.78.209[.]105/E/New%20folder/8903.exe hxxp://13.78.209[.]105/E/New%20folder/Async7842.exe hxxp://13.78.209[.]105/E/New%20folder/Host.exe hxxp://btime1624.duckdns[.]org:7923/ hxxp://btime1624.duckdns[.]org:7923/Vre hxxp://btime1624.duckdns[.]org/ hxxp://btime1624.duckdns[.]org/B hxxp://btime1624.duckdns[.]org/b/7632just.exe hxxp://btime1624.duckdns[.]org/B/7632JUST.exe/ hxxp://btime1624.duckdns[.]org/b/8903mback.exe hxxp://btime1624.duckdns[.]org/B/8903MBACK.exe/ hxxp://btime1624.duckdns[.]org/B/Host.exe hxxp://btime1624.duckdns[.]org/D/Servers/ hxxp://btime1624.duckdns[.]org/D/Servers/7632KL.exe hxxp://btime1624.duckdns[.]org/d/servers/8093mm.exe hxxp://btime1624.duckdns[.]org/d/servers/asyncclient.exe hxxp://btime1624.duckdns[.]org/d/servers/hostkfkk.exe hxxp://btime1624.duckdns[.]org/D/Servers/HostKfkk.exe hxxp://btime1624.duckdns[.]org/D/Servers/Netwire_prevent.exe hxxp://btime1624.duckdns[.]org/e/asyncclient6121.exe hxxp://btime1624.duckdns[.]org/E/ClientDC.exe hxxp://btime1624.duckdns[.]org/E/New%20folder/7632.exe hxxp://btime1624.duckdns[.]org/E/New%20folder/8903.exe hxxp://btime1624.duckdns[.]org/e/new%20folder/async7842.exe hxxp://btime1624.duckdns[.]org/E/New%20folder/Async7842.exe hxxp://btime1624.duckdns[.]org/E/New%20folder/Host.exe hxxp://gg1592661.duckdns[.]org/ hxxp://gg1592661.duckdns[.]org/B/ hxxp://gg1592661.duckdns[.]org/b/ hxxp://gg1592661.duckdns[.]org/B/7632JUST.exe hxxp://gg1592661.duckdns[.]org/b/7632just.exe hxxp://gg1592661.duckdns[.]org/B/8903MBACK.exe hxxp://gg1592661.duckdns[.]org/b/8903mback.exe hxxp://gg1592661.duckdns[.]org/B/AsyncClient7842.exe hxxp://gg1592661.duckdns[.]org/b/asyncclient7842.exe ----- hxxp://gg1592661.duckdns[.]org/b/Host.exe hxxp://gg1592661.duckdns[.]org/b/host.exe hxxp://gg1592661.duckdns[.]org/D/Servers/ hxxp://gg1592661.duckdns[.]org/d/servers/7632kl.exe hxxp://gg1592661.duckdns[.]org/D/Servers/8093mm.exe hxxp://gg1592661.duckdns[.]org/D/Servers/AsyncClient.exe hxxp://gg1592661.duckdns[.]org/D/Servers/HostKfkk.exe hxxp://gg1592661.duckdns[.]org/D/Servers/Netwire_prevent.exe hxxp://gg1592661.duckdns[.]org/d/servers/netwire_prevent.exe hxxp://gg1592661.duckdns[.]org/E hxxp://gg1592661.duckdns[.]org/E/ClientDC.exe hxxp://gg1592661.duckdns[.]org/E/nano6129.exe hxxp://gg1592661.duckdns[.]org/E/New%20folder/7632.exe hxxp://gg1592661.duckdns[.]org/E/New%20folder/8903.exe hxxp://gg1592661.duckdns[.]org/E/New%20folder/Async7842.exe hxxp://gg1592661.duckdns[.]org/e/new%20folder/async7842.exe hxxp://gg1592661.duckdns[.]org/Vre hxxps://btime1624.duckdns[.]org/ hxxps://btime1624.duckdns[.]org/B/Host.exe/ hxxps://gg1592661.duckdns[.]org/ hxxps://gg1592661.duckdns[.]org/B/AsyncClient7842.exe hxxps://gg1592661.duckdns[.]org/C hxxps://gg1592661.duckdns[.]org/D/Servers/ hxxps://gg1592661.duckdns[.]org/E/AsyncClient6121.exe hxxp://194.156.90[.]26:8012/Vre hxxp://52.27.15[.]250/A/behdhdjdj.txt hxxp://52.27.15[.]250/A/SJJS.txt hxxp://52.27.15[.]250/A/HSHSJSJD.txt hxxp://nanoboss.duckdns[.]org/ hxxp://nanoboss.duckdns[.]org/ hxxp://23.102.1[.]5/ hxxp://asyncspread.duckdns[.]org/ hxxp://tdeasy.duckdns[.]org/Vre tcp://asyncspread.duckdns[.]org:6121/ tcp://nanoboss.duckdns[.]org:6129/ hxxp://23.102.1[.]5:6129/ hxxp://tdeasy.duckdns[.]org/ hxxps://tdeasy.duckdns[.]org/ hxxp://tdeasy.duckdns[.]org:6128/ hxxp://tdeasy.duckdns[.]org:6128/Vre hxxp://dingspread.duckdns[.]org/vre/* hxxp://dingspread.duckdns[.]org:6130/ hxxp://dingspread.duckdns[.]org:6130/Vre hxxp://jw9428875.duckdns[.]org:1991/Vre hxxp://meunknown.duckdns[.]org/ ----- hxxp://52.150.26[.]35/bypass.txt hxxp://52.150.26[.]35/PE.txt hxxp://52.150.26[.]35/pe.txt hxxp://40.85.140[.]7/bypass.txt hxxp://40.85.140[.]7/PE.txt hxxp://40.85.140[.]7/pe.txt hxxp://137.135.65[.]29/bypass.txt hxxp://137.135.65[.]29/PE.txt hxxp://137.135.65[.]29/pe.txt **Mutex** AsyncMutex_6SI8OkPnk **Hashes** **Batch File** 5d64794cf6025bccda9ea93926894bc49599573a8f59905cdb394e5137496150 44f5442b45a48365cdd6c7d1f16ba19dea4fb1865ea4e9178c5758929f59d0f7 **VB Script** 48951f6847400dd39cba2f5ba0376e08bb4b7e36a4c3567792289734758b7bf9 **JavaScript** 5d7a0823b291315c81e35ed0c7ca7c81c6595c7ca9e5ebf0f56993a02d77c1f2 e3f46470aa9ef52628f741e07db33a6af854693ae2a761d397bf87fbfbe687c9 5518f5e20b27a4b10ebc7abce37c733ab532354b5db6aed7edf19c25caba2ff3 8ffde50491ef1cfc93f417b731186a08fb6c3e5aad21f131a60b87936bd3f850 a5d5de41b6546981f2284c07aa2fe17ac0b15727fb96fdff33db020a0826810e bbceba6fd06b01bd5c69ccab1ea106189455e1e85e577e278f9f362940b5442c 959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73 eae81605341641ad10c18ab60b79339617f0219abaa1ab5ee7883fc9d429b885 d42e5f2e60b39e2aca3dd09a4dd5803a04b33821e6da8808ef9ef450d6771e30 **PowerShell dropper** be02ba931ff61e5fb9ea332d41cf347d12fc84b4557ad28d82d2b2551406e4da **NetwireRATs** ----- bffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df 574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476 6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f 843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435 **NanocoreRATs** 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8 ff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136 988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7 4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545 dfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451 c8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40 28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055 **AsyncRATs** 2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8 b7f3d1dd2aa804eb498480b7a3b03ea003efb665005e844e51be5b8ab9dc8e79 68106918876232b746129b1161c3ac81914672776522f722062945f55166ba68 1dd6d37553168fa3929f5eaa5b2b0505aae5897809b532dd0b12eae8ffd8957f 1490f6303a675ded86c22841f87868c6f0867e922671e0426f499e46a72060d2 98e3e47c326aeb2e6001efca84737ae0ef78ce3576912aebfcbe05105db3f72a c8dec500839b3698755d9304442aa9f3516218b7c6340e2b1202dbe83089ab1d -----