{
	"id": "4b7e2a16-e2f6-45e1-a2a9-ac67733416b6",
	"created_at": "2026-04-06T00:08:59.119791Z",
	"updated_at": "2026-04-10T13:11:42.766029Z",
	"deleted_at": null,
	"sha1_hash": "5fd0c91d64c56200c95a0ce3732cb3b17d23a805",
	"title": "N-W0rm analysis (Part 2)-Secuinfra GmbH",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 411140,
	"plain_text": "N-W0rm analysis (Part 2)-Secuinfra GmbH\r\nPublished: 2022-05-17 · Archived: 2026-04-05 22:00:41 UTC\r\nBefore we analyze this RAT in-depth, we will show an overview of its behavior as a diagram. This can help to\r\nunderstand its inner working at a more high-level view:\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 1 of 9\n\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 2 of 9\n\nTo analyze this sample, we will open it with dnSpy to decompile and possibly debug it.\r\nEntry Point\r\nWe will first begin at the entry point of this RAT and analyze its executed code before we jump into all possible\r\nmodules this RAT possesses. To jump to the entry point we can right-click on the class menu on the left and select\r\nGo to Entry Point:\r\nFigure 1: How to get to the Entry Point\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 3 of 9\n\nDoing so will lead us to the first called function called uLnqUtvIwAOVXLU. To make things more\r\nunderstandable we have pasted it below. It starts by sleeping for 2 seconds before calling\r\nhlIinikmNYFRC.gwgzcfkYmyQKIgW(). If this function returns False, then the RAT exists, which means that\r\nthis function is probably going to do some environment checks. Let’s start by examining what the RAT is\r\nchecking.\r\nFigure 2: Entry Point\r\nhlIinikmNYFRC.gwgzcfkYmyQKIgW()\r\nThe content of the function can be seen below. The RAT is trying to create a new Mutex. The name of the Mutex\r\ncan be found in the variable hlIinikmNYFRC.HREdkIUrRAzFBOcfZ and is 2e3fb6d0. This makes a great\r\nIOC.\r\nFigure 3: Mutex Creation\r\nIf the Mutex is already created, the result will be False, but if the Creation of The Mutex is successful, the result\r\nwill be True. In conclusion the entry point is checking if the Mutex already exists, i.e. if the system was already\r\ninfected with this RAT.\r\nhlIinikmNYFRC.ATCCkfeyJnyt()\r\nIf the Mutex check is passed, the RAT will call hlIinikmNYFRC.ATCCkfeyJnyt() and pass an enum. This is just\r\na wrapper to call SetThreadExecutionState. According to the Microsoft docs this function is doing the following:\r\n“Enables an application to inform the system that it is in use, thereby preventing the system from entering sleep or\r\nturning off the display while the application is running.”\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 4 of 9\n\nLastly, the entry point starts a new thread and passes control to hlIinikmNYFRC.fqLxpecOTiCgE\r\nhlIinikmNYFRC.fqLxpecOTiCgE\r\nThis function starts with an infinite loop and is basically responsible for getting the commands and interpreting\r\nthem. If the connection is not setup or is disconnected it will be reset. Here we also learn the C2 address used by\r\nthis RAT:\r\nnyanmoney02[.]duckdns.org\r\nAt this point, there is an interesting observation. If the connection to the C2 fails, a secondary C2 address will be\r\nused. However, this fallback address is the same as the primary one. So, either the author of the malware forgot to\r\nchange the failback address or this version of the RAT is just some alpha/beta version.\r\nWe will not analyze the socket handling in-depth here but instead take a further look at all the information the\r\nRAT sends to its operator and the function that handles the received commands.\r\nInformation Gathering\r\nIf the RAT is creating a new connection or reconnecting it sends some general information about the host to its\r\nC2. We will not go through each function line by line but rather summarize what information is collected and sent\r\nback:\r\nUser Domain Name\r\nUsername\r\nProcessor count\r\nOS full name\r\nIs user admin?\r\nVersion of the RAT (the analyzed RAT has the version v0.3.8)\r\nList of installed antivirus products using a WMI query\r\nLast write time of RAT on disk\r\nPath of the RAT on disk\r\nModules\r\nBefore we explain all available modules, we will first look at the preprocessing of the received data.\r\nFigure 4: Preprocessing of received Data\r\nBefore any module is executed, a further function is called, and the input is split. The function\r\nGYZswDqNcBskynCV() is responsible for sending the string “received” to its C2 and to sleep for 1 second.\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 5 of 9\n\nNext, we split the input by a hardcoded delimiter that is “|NW|”. The first value in this list is the key or rather the\r\nmodule that should be run. All further data will be used as parameters for the chosen module. We will now explain\r\nall modules in-depth.\r\nrunFile\r\nFigure 5: Module runFile\r\nThis module is further divided into multiple options. The RAT can execute binaries directly in-memory or first\r\nwrite the data to disk and execute it from there. If the passed file was a PowerShell script, the typical arguments\r\nare used. Lastly, if array[3] is true, then the RAT will delete itself.\r\nrunUrl\r\nThis module is pretty similar to the previous one, except that the operator passes an URL, and the RAT downloads\r\nthe file itself and executes it.\r\nplugin\r\nHere the operator can load further plugins into this .NET binary and hence extend the functionality.\r\nclose\r\nThis module does what the name suggests. It closes the Mutex and the TcpClient and then exits.\r\nrestart\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 6 of 9\n\nCalling this module also first closes the Mutex and TcpClient and then creates a batch file in the %temp%\r\ndirectory.\r\nFigure 6: Temp Batch Script\r\nAfter the batch file has been started the program kills itself.\r\ndel\r\nThis module deletes the RAT and closes the Mutex and TcpClient.\r\nps1\r\nExecutes the provided ps1 File.\r\nurl\r\nHere the content of a passed URL is downloaded. However, it appears nothing happens if the request was\r\nsuccessful.\r\nFigure 7: Module url (decompiled with DnSpy)\r\nTo verify that this is not just some bugged decompilation, I checked my results with ILSpy. The result is more or\r\nless the same. Either this method is not finished or it is just used to verify that there is a connection (maybe for\r\nsandbox testing?).\r\nFigure 8: Module url (decompiled with ILSpy)\r\nkiller\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 7 of 9\n\nThis function does what it says, it kills a lot of stuff.\r\nFirst, it iterates over all processes and applies some checks to the name of the process. If the FileName attribute of\r\nthe process satisfies one of the below checks and the window of the process is not visible, then the next block is\r\nentered:\r\nthe path contains “wscript.exe”\r\nthe path contains the User Profile Path (i.e. C:\\Users\\\u003cUSER\u003e)\r\nthe path contains the Common Application Data Path (i.e. C:\\ProgramData).\r\nNow, if these checks are true, then the process is killed, the program is deleted and the program is removed from\r\nthe Run and RunOnce registry key located at the following paths:\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\r\nSoftware\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\r\nAfter the iteration through all processes, the RAT sends the number of killed processes to its C2.\r\nFigure 9: Module killer\r\nIOC\r\nMemory\r\nMutex: 2e3fb6d0\r\nNetwork\r\nnyanmoney02[.]duckdns.org\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100\r\nSafari/537.36\r\nPort: 9031\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 8 of 9\n\nYara\r\nYou can find a complete Yara rule here -\u003e SECUINFRA Falcon Team Git\r\nSource: https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nhttps://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.secuinfra.com/en/techtalk/n-w0rm-analysis-part-2/"
	],
	"report_names": [
		"n-w0rm-analysis-part-2"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434139,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5fd0c91d64c56200c95a0ce3732cb3b17d23a805.pdf",
		"text": "https://archive.orkl.eu/5fd0c91d64c56200c95a0ce3732cb3b17d23a805.txt",
		"img": "https://archive.orkl.eu/5fd0c91d64c56200c95a0ce3732cb3b17d23a805.jpg"
	}
}