{
	"id": "62c62680-5a1f-4b54-a176-fb26b53e37cb",
	"created_at": "2026-04-06T00:08:23.359542Z",
	"updated_at": "2026-04-10T13:11:43.522039Z",
	"deleted_at": null,
	"sha1_hash": "815d7c8d30ef17acfcb1c98a2301fe341bfe7627",
	"title": "Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3088991,
	"plain_text": "Nanocore, Netwire and AsyncRAT spreading campaign uses public\r\ncloud infrastructure\r\nBy Chetan Raghuprasad\r\nPublished: 2022-01-12 · Archived: 2026-04-05 17:08:05 UTC\r\nCisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire\r\nand AsyncRATs targeting user's information.\r\nAccording to Cisco Secure product telemetry, the victims of this campaign are primarily distributed across\r\nthe United States, Italy and Singapore.\r\nThe actor used complex obfuscation techniques in the downloader script. Each stage of the deobfuscation\r\nprocess results with the decryption methods for the subsequent stages to finally arrive at the actual\r\nmalicious downloader method.\r\nThe campaign is the latest example of threat actors abusing cloud services like Microsoft Azure and\r\nAmazon Web Services and are actively misusing them to achieve their malicious objectives.\r\nThe actor is using the DuckDNS dynamic DNS service to change domain names of the C2 hosts.\r\nExecutive Summary\r\nThreat actors are increasingly using cloud technologies to achieve their objectives without having to resort to\r\nhosting their own infrastructure. These types of cloud services like Azure and AWS allow attackers to set up their\r\ninfrastructure and connect to the internet with minimal time or monetary commitments. It also makes it more\r\ndifficult for defenders to track down the attackers' operations.\r\nThe threat actor in this case used cloud services to deploy and deliver variants of commodity RATs with the\r\ninformation stealing capability starting around Oct. 26, 2021. These variants of Remote Administration Tools\r\n(RATs) are packed with multiple features to take control over the victim's environment to execute arbitrary\r\ncommands remotely and steal the victim's information.\r\nThe initial infection vector is a phishing email with a malicious ZIP attachment. These ZIP archive files contain an\r\nISO image with a malicious loader in the form of JavaScript, a Windows batch file or Visual Basic script. When\r\nthe initial script is executed on the victim's machine, it connects to a download server to download the next stage,\r\nwhich can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.\r\nTo deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free\r\ndynamic DNS service. The malware families associated with this campaign are variants of the Netwire, Nanocore\r\nand AsyncRAT remote access trojans.\r\nOrganizations should be inspecting outgoing connections to cloud computing services for malicious traffic. The\r\ncampaigns described in this post demonstrate increasing usage of popular cloud platforms for hosting malicious\r\ninfrastructure.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 1 of 22\n\nInfection summary diagram.\r\nThe Payload\r\nThe observed campaigns are using variants of Nanocore, Netwire and AsyncRAT as payloads. These are\r\ncommodity RATs that were widely used in other campaigns.\r\nNanocoreRAT\r\nNanocore is a 32-bit .NET portable executable first seen in the wild in 2013. After 2017, there are leaked versions\r\nof Nanocore that are widely used by the threat actors in their campaigns.\r\nExtracting the configuration information from the Nanocore clients samples associated with this campaign showed\r\nus they are using version 1.2.2.0, which is a leaked version with an Oct. 26, 2021 build date. The C2 server used is\r\nmback5338[.]duckdns[.]org, listening on the TCP port 7632. The build date correlates with the possible start of the\r\ncampaign.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 2 of 22\n\nNanocore variant config file.\r\nWe have also observed other C2 domains and different port numbers used by different samples of Nanocore client\r\nassociated with these campaigns:\r\nnanoboss[.]duckdns[.]org\r\njustinalwhitedd554[.]duckdns[.]org\r\nThe plugins included with the payload are the Client and SurveillanceEx plugins. The client plugin is used by the\r\nRAT to handle the communications with the C2 server and SurveillanceEX plugin provides video and audio\r\ncapture and the remote desktop capability.\r\nNetwireRAT\r\nNetwireRAT is a known threat used by the threat actors to  steal victim's passwords, login credentials and credit\r\ncard data. It has the capability to remotely execute the commands and collects filesystem information.\r\nThis trojan establishes persistance by writing the registry keys:\r\nHKEY_CURRENT_USER\\Software\\NETwIRe\\HostId\r\nHKEY_CURRENT_USER\\Software\\NETwIRe\\Install Date\r\nHKEY_CURRENT_USER\\SOfttware\\Microsoft\\WIndows\\CurrentVersion\\Run\\SysWOW32 with its value as the\r\npath to the trojan.\r\nAsyncRAT\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 3 of 22\n\nAsyncRAT is a remote access tool meant to remotely monitor and control computers through secure encrypted\r\nconnection. Threat actors in this campaign use the AsyncRAT client by setting its configuration to connect to the\r\nC2 server and provide the attacker with remote access to the victim's machine. Using some of its features such as\r\nkeylogger, screen recorder, system configuration manager, the attacker can steal confidential data from the\r\nvictim's machine.\r\nAsyncRAT creates the mutex \"AsyncMutex_6SI8OkPnk\" as the infection marker in the victim's machine.\r\nAsyncRAT variant mutex function.\r\nThe AsyncRAT config file is decrypted and contains the configuration information such as C2 domain. In this\r\ninstance, the C2 domain is asyncmoney[.]duckdns[.]org using the TCP port 7829. We have observed that this\r\nvariant of AsyncRAT communicates with the C2 domain via TCP ports 7840, 7841 and 7842.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 4 of 22\n\nAsyncRAT variant C2 connection parameters.\r\nInfection chain\r\nThe infection chain starts with an email that contains malicious ZIP documents. The ZIP file attachment is an ISO\r\nimage file containing the loader in JavaScript, Visual Basic script or a Windows batch file format. The actor has\r\nattempted to entice recipients by purporting that the attachment is a fake invoice document.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 5 of 22\n\nPhishing email example.\r\nThe initial few characters of the ZIP file names are randomly generated and could be specific to the campaign.\r\nSome of the observed ZIP file names are:\r\nWROOT_Invoice_Copy.zip\r\nYUEOP_Invoice_Copy.zip\r\nHOO8M_Invoice_Copy.zip\r\nTROOS_Invoice_Copy.zip\r\nTBROO1_Invoice_Copy.zip\r\nJavaScript Downloader\r\nThe downloader JavaScript is an obfuscated script that has four layers of obfuscation. The deobfuscation process\r\nis performed at each stage with every next stage generated as the result of the previous stage deobfuscation\r\nfunction.\r\nLayer 1 deobfuscation\r\nThe first level of decryption is performed by the function 'ejv()', which iterates over each character of the\r\nobfuscated data into an array and performs a number of arithmetic operations to decrypt the character and returns\r\nthe deobfuscated result.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 6 of 22\n\nFirst level decryption function.\r\nThe function 'ejv()' generates the second-stage decryption routine.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 7 of 22\n\nSecond level decryption function.\r\nLayer 2 deobfuscation\r\nThe remaining part of the encrypted contents of the JavaScript downloader are decrypted in two sub-phases in\r\nLayer 2 deobfuscation process. First, it is decrypted by the decryption function 'ejv()' and then the result is passed\r\nto the second-level decryption function.\r\nThe result of the deobfuscation process contains another decryption function 'Ox$()', which is the third layer\r\ndecryption function.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 8 of 22\n\nThird-level decryption function.\r\nLayer 3 deobfuscation\r\nThe encrypted strings of the Layer 2 deobfuscation process are decrypted by the function 'Ox$()'. The decrypted\r\nresult of the Layer 3 deobfuscation process is another obfuscated function which has multiple function calls\r\nreturning values and a series of eval() functions calling the third-level decryption function 'Ox$()' to decrypt the\r\nmalicious downloader code.\r\nObfuscated malicious downloader code.\r\nWhile analysing another sample of the JavaScript downloader of this campaign, we observed a slightly different\r\nresult from the Phase 3 deobfuscation process. It is likely that the code is automatically generated and randomized\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 9 of 22\n\nto make the detection process more difficult.\r\nObfuscated malicious downloader code.\r\nLayer 4 deobfuscation\r\nThe final stage of the deobfuscation of malicious downloader code is performed in Layer 4,  with the help of a\r\nthird-level decryption function and some of its self decryption logic within the code. We observed that the Layer 4\r\ndecrypted code is not just a downloader — it also performs other activities such as:\r\nConfigures the Logon Auto Start registry key\r\n\"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence.\r\nConfigures scheduled task jobs by invoking the schtasks.exe process.\r\nDownloads the payload from the download server with the URL\r\nhttp://gg1592661[.]duckdns[.]org:7924/vre. The payloads downloaded by the observed campaigns are the\r\nvariants of Netwire, Nanocore and AsyncRAT remote access trojans, saved and executed from the user's\r\ntemporary folder of the victim's machine.\r\nThe script attempts to interact with the Alternate Data Stream to hide the information about its source as\r\ndownloaded from the internet.\r\nCollects information from the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\r\nNT\\CurrentVersion\\ProductId to fingerprint the victim's machine.\r\nAside from the JavaScript loader trojan, we have observed a Batch file downloader trojan and a VBScript\r\ndownloader trojan in our Cisco Secure Endpoint telemetry.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 10 of 22\n\nBatch file downloader\r\nThe batch script contains an obfuscated command that runs PowerShell to download and run a payload from a\r\ndownload server, in this instance, 13[.]78[.]209[.]105 on Azure Cloud.\r\nBatch script downloader trojan.\r\nVBScript downloader\r\nObfuscated VB downloaders execute a PowerShell command which runs and connects to the download server, for\r\nexample, to 52[.]27[.]15[.]250, running on AWS EC2.\r\nVBScript trojan downloader.\r\nPowerShell dropper\r\nOur investigation of download servers in Azure uncovered a PowerShell dropper script which appears to be built\r\nwith HCrypt builder. The script drops and runs a variant of AsyncRAT trojan in the victim machine. TrendMicro\r\nresearchers had identified similar PowersSell droppers in another campaign they named \"Water Basilisk.\"\r\nPowerShell dropper.\r\nThe deobfuscated binary is constructed using the String replace function to replace all occurrences of a delimiter\r\ncharacter with the digit 0. This string containing the payload, together with a string containing an injector .NET\r\nassembly DLL module, is passed to the function H2, which converts it into a binary byte array. From there on, the\r\ngenerated byte array is loaded as an assembly module and used to inject the payload.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 11 of 22\n\nDeobfuscated injector.\r\nDeobfuscated PowerShell loader command.\r\nThe script attempts to launch a process aspnet_compiler.exe on the victim machine, inject the AsyncRAT payload\r\nand invoke a thread to run the payload. In this instance, the C2 server for the payload is yuri101[.]duckdns[.]org,\r\nhosted on the IP address 64[.]188[.]16[.]134.\r\nPowerShell dropper infection flow.\r\nActor's Infrastructure\r\nThe actor in this campaign maintains a distributed infrastructure consisting of download servers, command and\r\ncontrol servers, and malicious subdomains.  The downloading servers are hosted on Microsoft Azure and AWS\r\ncloud services. We have discovered Windows instances on Azure Cloud at the IP addresses shown below:\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 12 of 22\n\n13[.]78[.]209[.]105 in the WestCentralUS cloud region with FQDN name \"GOOGLE\".\r\n23[.]102[.]1[.]5 in the NorthEurope cloud region and enabled with SMB authentication.\r\n40[.]85[.]140[.]7 in the NorthEurope cloud region.\r\n52[.]150[.]26[.]35 in the EastUS cloud region with FQDN \"spinxamp\".\r\n13[.]82[.]65[.]56 in the East US cloud region.\r\n137[.]135[.]65[.]29 in the East US region with FQDN \"sj-2nd\" and enabled with SMB authentication.\r\nAnother server we discovered is hosted on AWS cloud  at the IP address 52[.]27[.]15[.]250 and the FQDN is ec2-\r\n52-27-15-250.us-west-2.compute.amazonaws.com. We are not sure about the operating system of this instance.\r\nSome of the download servers are running the Apache web server application. The HTTP servers are configured to\r\nallow the listing of open directories that contain variants of NanocoreRATs, Netwire RAT and AsyncRATs\r\nmalware.\r\nOpen directory of malware repositories in a download server.\r\nEach RAT instance connects to a C2 server according to its configuration. The C2 servers are Windows-based\r\nservers mostly compromised by the actor at the IP address 103[.]151[.]123[.]194,185[.]249[.]196[.]175 and\r\n64[.]188[.]16[.]134. For the RATs' C2 domains, the actor is using the dynamic DNS service subdomains\r\nasyncmoney[.]duckdns[.]org, nwire733[.]duckdns[.]org, mback5338[.]duckdns[.]org and yuri101[.]duckdns[.]org.\r\nMalicious domains\r\nDuckDNS is a free dynamic DNS service providing a public DNS server service allowing the user to create\r\nsubdomains and maintain the records using the DuckDNS scripts. The actor has created malicious DuckDNS\r\nsubdomains to deliver malware in this campaign. Some of the actor-controlled malicious subdomains resolve to\r\nthe download server on Azure Cloud while others resolve to the servers operated as C2 for the remote access\r\ntrojan payloads.\r\ngg1592661[.]duckdns[.]org\r\nbtime1624[.]duckdns[.]org\r\njustinalwhitedd554[.]duckdns[.]org\r\nwz303811[.]duckdns[.]org\r\njs1994[.]duckdns[.]org\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 13 of 22\n\nbacku4734[.]duckdns[.]org\r\nwww[.]backu4734[.]duckdns[.]org\r\nmback5338[.]duckdns[.]org\r\nnwire733[.]duckdns[.]org\r\nasyncmoney[.]duckdns[.]org\r\nnanoboss[.]duckdns[.]org\r\nasyncspread[.]duckdns[.]org\r\ntdeasy[.]duckdns[.]org\r\ndingspread[.]duckdns[.]org\r\nasyncpcc[.]duckdns[.]org\r\njw9428875.duckdns[.]org\r\nmeunknown.duckdns[.]org\r\nyuri101.duckdns[.]org\r\nCisco Umbrella classified these domains as malicious on Oct. 26. The volume of DNS requests observed in Cisco\r\nUmbrella for most of the subdomains associated with this campaign shares the same pattern as shown in the\r\ngraph, which demonstrates that the campaigns started in October 2021.\r\nDNS requests for gg1592661[.]duckdns[.]org.\r\nVictimology\r\nAccording to the DNS request distribution to the malicious subdomains of this campaign, we are observing\r\nrequests primarily from the United States, Canada, Italy and Singapore. We are also seeing a few requests from\r\nSpain and South Korea.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 14 of 22\n\nConclusion\r\nIn this post we have described campaigns demonstrating that threat actors are actively using cloud services in their\r\nmalicious campaigns. The initial infection vector is primarily a phishing email with a malicious Zip file\r\nattachment.Despite being one of the oldest infection vectors, email is still an important infection path which needs\r\nto be protected.\r\nThe ZIP file contains an ISO image file containing a malicious obfuscated downloader. The payloads of these\r\ncampaigns are instances of Nanocore, Netwire and AsyncRAT remote access trojans. The RAT payloads are using\r\nDuckDNS.org dynamic DNS servers so they can regularly change the IP addresses of C2 servers and quickly add\r\nnew subdomains.\r\nWe also discovered an obfuscated PowerShell dropper script built by HCrypt builder associated with the\r\ndownload servers of this campaign.\r\nOrganizations should deploy comprehensive multi-layered security controls to detect similar threats and safeguard\r\ntheir assets. Defenders should monitor traffic to their organization and implement robust rules around the script\r\nexecution policies on their endpoints. It is even more important for organizations to improve email security to\r\ndetect and mitigate malicious email messages and break the infection chain as early as possible.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 15 of 22\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 16 of 22\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.The following Snort SIDs have been released to detect this threat: 58758-\r\n58773.\r\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here.\r\nThe following ClamAV signatures have been released to detect this threat:\r\nPs1.Dropper.HCrypt-9913873-0\r\nTxt.Trojan.BatchDownloader-9913886-0\r\nWin.Trojan.AsyncRAT-9914220-0\r\nTxt.Downloader.Agent-9914217-0\r\nJs.Trojan.Agent-9914218-0\r\nJs.Downloader.Agent-9914219-0\r\nWin.Packed.Samas-7998113-0\r\nWin.Trojan.NanoCore-9852758-0\r\nWin.Dropper.NetWire-8025706-0\r\nWin.Malware.Generickdz-9865912-0\r\nWin.Dropper.Joiner-6\r\nIOCs\r\nIP Address\r\n13[.]78[.]209[.]105\r\n13[.]82[.]65[.]56\r\n103[.]151[.]123[.]194\r\n194[.]156[.]90[.]26\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 17 of 22\n\n52[.]27[.]15[.]250\r\n23[.]102[.]1[.]5\r\n137[.]135[.]65[.]29\r\n40[.]85[.]140[.]7\r\n52[.]150[.]26[.]35\r\nDomains\r\ngg1592661[.]duckdns[.]org\r\nbtime1624[.]duckdns[.]org\r\njustinalwhitedd554[.]duckdns[.]org\r\nwz303811[.]duckdns[.]org\r\njs1994[.]duckdns[.]org\r\nbacku4734[.]duckdns[.]org  \r\nwww[.]backu4734[.]duckdns[.]org\r\nmback5338[.]duckdns[.]org\r\nnwire733[.]duckdns[.]org\r\nasyncmoney[.]duckdns[.]org\r\nnanoboss[.]duckdns[.]org\r\ntdeasy[.]duckdns[.]org\r\ndingspread[.]duckdns[.]org\r\nasyncspread[.]duckdns[.]org\r\njw9428875[.]duckdns[.]org\r\nmeunknown[.]duckdns[.]org\r\nasyncpcc[.]duckdns[.]org\r\nyuri101[.]duckdns[.]org\r\nURLs\r\nhxxp://13.78.209[.]105/\r\nhxxp://13.78.209[.]105/b/\r\nhxxp://13.78.209[.]105/b/7632JUST.exe\r\nhxxp://13.78.209[.]105/b/7632just.exe/\r\nhxxp://13.78.209[.]105/b/8903mback.exe\r\nhxxp://13.78.209[.]105/B/8903MBACK.exe\r\nhxxp://13.78.209[.]105/B/AsyncClient7842.exe\r\nhxxp://13.78.209[.]105/B/Host.exe\r\nhxxp://13.78.209[.]105/D/Servers/\r\nhxxp://13.78.209[.]105/D/Servers/7632JUST.js\r\nhxxp://13.78.209[.]105/d/servers/8093mm.exe\r\nhxxp://13.78.209[.]105/D/Servers/AsyncClient.exe\r\nhxxp://13.78.209[.]105/d/servers/hostkfkk.exe\r\nhxxp://13.78.209[.]105/D/Servers/Netwire_prevent.exe\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 18 of 22\n\nhxxp://13.78.209[.]105/d/servers/netwire_prevent.exe\r\nhxxp://13.78.209[.]105/E\r\nhxxp://13.78.209[.]105/E/AsyncClient6121.exe\r\nhxxp://13.78.209[.]105/E/ClientDC.exe\r\nhxxp://13.78.209[.]105/E/Er.txt\r\nhxxp://13.78.209[.]105/E/nano6129.exe\r\nhxxp://13.78.209[.]105/E/New%20folder/7632.exe\r\nhxxp://13.78.209[.]105/E/New%20folder/8903.exe\r\nhxxp://13.78.209[.]105/E/New%20folder/Async7842.exe\r\nhxxp://13.78.209[.]105/E/New%20folder/Host.exe\r\nhxxp://btime1624.duckdns[.]org:7923/\r\nhxxp://btime1624.duckdns[.]org:7923/Vre\r\nhxxp://btime1624.duckdns[.]org/\r\nhxxp://btime1624.duckdns[.]org/B\r\nhxxp://btime1624.duckdns[.]org/b/7632just.exe\r\nhxxp://btime1624.duckdns[.]org/B/7632JUST.exe/\r\nhxxp://btime1624.duckdns[.]org/b/8903mback.exe\r\nhxxp://btime1624.duckdns[.]org/B/8903MBACK.exe/\r\nhxxp://btime1624.duckdns[.]org/B/Host.exe\r\nhxxp://btime1624.duckdns[.]org/D/Servers/\r\nhxxp://btime1624.duckdns[.]org/D/Servers/7632KL.exe\r\nhxxp://btime1624.duckdns[.]org/d/servers/8093mm.exe\r\nhxxp://btime1624.duckdns[.]org/d/servers/asyncclient.exe\r\nhxxp://btime1624.duckdns[.]org/d/servers/hostkfkk.exe\r\nhxxp://btime1624.duckdns[.]org/D/Servers/HostKfkk.exe\r\nhxxp://btime1624.duckdns[.]org/D/Servers/Netwire_prevent.exe\r\nhxxp://btime1624.duckdns[.]org/e/asyncclient6121.exe\r\nhxxp://btime1624.duckdns[.]org/E/ClientDC.exe\r\nhxxp://btime1624.duckdns[.]org/E/New%20folder/7632.exe\r\nhxxp://btime1624.duckdns[.]org/E/New%20folder/8903.exe\r\nhxxp://btime1624.duckdns[.]org/e/new%20folder/async7842.exe\r\nhxxp://btime1624.duckdns[.]org/E/New%20folder/Async7842.exe\r\nhxxp://btime1624.duckdns[.]org/E/New%20folder/Host.exe\r\nhxxp://gg1592661.duckdns[.]org/\r\nhxxp://gg1592661.duckdns[.]org/B/\r\nhxxp://gg1592661.duckdns[.]org/b/\r\nhxxp://gg1592661.duckdns[.]org/B/7632JUST.exe\r\nhxxp://gg1592661.duckdns[.]org/b/7632just.exe\r\nhxxp://gg1592661.duckdns[.]org/B/8903MBACK.exe\r\nhxxp://gg1592661.duckdns[.]org/b/8903mback.exe\r\nhxxp://gg1592661.duckdns[.]org/B/AsyncClient7842.exe\r\nhxxp://gg1592661.duckdns[.]org/b/asyncclient7842.exe\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 19 of 22\n\nhxxp://gg1592661.duckdns[.]org/b/Host.exe\r\nhxxp://gg1592661.duckdns[.]org/b/host.exe\r\nhxxp://gg1592661.duckdns[.]org/D/Servers/\r\nhxxp://gg1592661.duckdns[.]org/d/servers/7632kl.exe\r\nhxxp://gg1592661.duckdns[.]org/D/Servers/8093mm.exe\r\nhxxp://gg1592661.duckdns[.]org/D/Servers/AsyncClient.exe\r\nhxxp://gg1592661.duckdns[.]org/D/Servers/HostKfkk.exe\r\nhxxp://gg1592661.duckdns[.]org/D/Servers/Netwire_prevent.exe\r\nhxxp://gg1592661.duckdns[.]org/d/servers/netwire_prevent.exe\r\nhxxp://gg1592661.duckdns[.]org/E\r\nhxxp://gg1592661.duckdns[.]org/E/ClientDC.exe\r\nhxxp://gg1592661.duckdns[.]org/E/nano6129.exe\r\nhxxp://gg1592661.duckdns[.]org/E/New%20folder/7632.exe\r\nhxxp://gg1592661.duckdns[.]org/E/New%20folder/8903.exe\r\nhxxp://gg1592661.duckdns[.]org/E/New%20folder/Async7842.exe\r\nhxxp://gg1592661.duckdns[.]org/e/new%20folder/async7842.exe\r\nhxxp://gg1592661.duckdns[.]org/Vre\r\nhxxps://btime1624.duckdns[.]org/\r\nhxxps://btime1624.duckdns[.]org/B/Host.exe/\r\nhxxps://gg1592661.duckdns[.]org/\r\nhxxps://gg1592661.duckdns[.]org/B/AsyncClient7842.exe\r\nhxxps://gg1592661.duckdns[.]org/C\r\nhxxps://gg1592661.duckdns[.]org/D/Servers/\r\nhxxps://gg1592661.duckdns[.]org/E/AsyncClient6121.exe\r\nhxxp://194.156.90[.]26:8012/Vre\r\nhxxp://52.27.15[.]250/A/behdhdjdj.txt\r\nhxxp://52.27.15[.]250/A/SJJS.txt\r\nhxxp://52.27.15[.]250/A/HSHSJSJD.txt\r\nhxxp://nanoboss.duckdns[.]org/\r\nhxxp://nanoboss.duckdns[.]org/\r\nhxxp://23.102.1[.]5/\r\nhxxp://asyncspread.duckdns[.]org/\r\nhxxp://tdeasy.duckdns[.]org/Vre\r\ntcp://asyncspread.duckdns[.]org:6121/\r\ntcp://nanoboss.duckdns[.]org:6129/\r\nhxxp://23.102.1[.]5:6129/\r\nhxxp://tdeasy.duckdns[.]org/\r\nhxxps://tdeasy.duckdns[.]org/\r\nhxxp://tdeasy.duckdns[.]org:6128/\r\nhxxp://tdeasy.duckdns[.]org:6128/Vre\r\nhxxp://dingspread.duckdns[.]org/vre/*\r\nhxxp://dingspread.duckdns[.]org:6130/\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 20 of 22\n\nhxxp://dingspread.duckdns[.]org:6130/Vre\r\nhxxp://jw9428875.duckdns[.]org:1991/Vre\r\nhxxp://meunknown.duckdns[.]org/\r\nhxxp://52.150.26[.]35/bypass.txt\r\nhxxp://52.150.26[.]35/PE.txt\r\nhxxp://52.150.26[.]35/pe.txt\r\nhxxp://40.85.140[.]7/bypass.txt\r\nhxxp://40.85.140[.]7/PE.txt\r\nhxxp://40.85.140[.]7/pe.txt\r\nhxxp://137.135.65[.]29/bypass.txt\r\nhxxp://137.135.65[.]29/PE.txt\r\nhxxp://137.135.65[.]29/pe.txt\r\nMutex\r\nAsyncMutex_6SI8OkPnk\r\nHashes\r\nBatch File\r\n5d64794cf6025bccda9ea93926894bc49599573a8f59905cdb394e5137496150\r\n44f5442b45a48365cdd6c7d1f16ba19dea4fb1865ea4e9178c5758929f59d0f7\r\nVB Script\r\n48951f6847400dd39cba2f5ba0376e08bb4b7e36a4c3567792289734758b7bf9\r\nJavaScript\r\n5d7a0823b291315c81e35ed0c7ca7c81c6595c7ca9e5ebf0f56993a02d77c1f2\r\ne3f46470aa9ef52628f741e07db33a6af854693ae2a761d397bf87fbfbe687c9\r\n5518f5e20b27a4b10ebc7abce37c733ab532354b5db6aed7edf19c25caba2ff3\r\n8ffde50491ef1cfc93f417b731186a08fb6c3e5aad21f131a60b87936bd3f850\r\na5d5de41b6546981f2284c07aa2fe17ac0b15727fb96fdff33db020a0826810e\r\nbbceba6fd06b01bd5c69ccab1ea106189455e1e85e577e278f9f362940b5442c\r\n959484bfe98d39321a877e976a7cde13c9e2d0667a155dda17aeade58b68391c\r\n7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73\r\neae81605341641ad10c18ab60b79339617f0219abaa1ab5ee7883fc9d429b885\r\nd42e5f2e60b39e2aca3dd09a4dd5803a04b33821e6da8808ef9ef450d6771e30\r\nPowerShell dropper\r\nbe02ba931ff61e5fb9ea332d41cf347d12fc84b4557ad28d82d2b2551406e4da\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 21 of 22\n\nNetwireRATs\r\nbffb4b88ef53beb49ba2af08212870b203a29c7fcd1c8f02e0a905e71a8af6df\r\n574b348f67921ce34f660afe2ff75d0538bd5ea203739a77479dba7f026f0476\r\n6b4401690cb0a07ee98ff3c5fc351b20c6e0a4ba7474c6ad858e5dc69a60b36f\r\n843c5f7a818681e3df212c80515cdce0bd56c6e178412736b8a22b15ebb35435\r\nNanocoreRATs\r\n2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8\r\nff66be4a8df7bd09427a53d2983e693489fbe494edd0244053b29b9f048df136\r\n988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7\r\n4b61697d61a8835a503f2ea6c202b338bde721644dc3ec3e41131d910c657545\r\ndfdb008304c3c2a5ec1528fe113e26088b6118c27e27e5d456ff39d300076451\r\nc8c69f36f89061f4ce86b108c0ff12ade49d665eace2d60ba179a2341bd54c40\r\n28ef1f6f0d8350a3fda0f604089288233d169946fca868c074fc16541b140055\r\nAsyncRATs\r\n2605a1cb2b510612119fdb0e62b543d035ad4f3c873d0f5a7aa3291968c50bc8\r\nb7f3d1dd2aa804eb498480b7a3b03ea003efb665005e844e51be5b8ab9dc8e79\r\n68106918876232b746129b1161c3ac81914672776522f722062945f55166ba68\r\n1dd6d37553168fa3929f5eaa5b2b0505aae5897809b532dd0b12eae8ffd8957f\r\n1490f6303a675ded86c22841f87868c6f0867e922671e0426f499e46a72060d2\r\n98e3e47c326aeb2e6001efca84737ae0ef78ce3576912aebfcbe05105db3f72a\r\nc8dec500839b3698755d9304442aa9f3516218b7c6340e2b1202dbe83089ab1d\r\nSource: https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nhttps://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html\r\nPage 22 of 22\n\nof Nanocore that are Extracting the configuration widely used by the information threat actors in from the Nanocore their campaigns. clients samples associated with this campaign showed\nus they are using version 1.2.2.0, which is a leaked version with an Oct. 26, 2021 build date. The C2 server used is\nmback5338[.]duckdns[.]org, listening on the TCP port 7632. The build date correlates with the possible start of the\ncampaign.      \n  Page 2 of 22   \n\nThe AsyncRAT instance, the config file C2 domain is is decrypted and asyncmoney[.]duckdns[.]org contains the configuration information using the TCP port such as C2 7829. We have observed domain. In this that this\nvariant of AsyncRAT communicates with the C2 domain via TCP ports 7840, 7841 and 7842.\n   Page 4 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html"
	],
	"report_names": [
		"nanocore-netwire-and-asyncrat-spreading.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434103,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/815d7c8d30ef17acfcb1c98a2301fe341bfe7627.pdf",
		"text": "https://archive.orkl.eu/815d7c8d30ef17acfcb1c98a2301fe341bfe7627.txt",
		"img": "https://archive.orkl.eu/815d7c8d30ef17acfcb1c98a2301fe341bfe7627.jpg"
	}
}