2021-10-29 Various RAT IOCs

THREAT IDENTIFICATION:  VJW0RM / NANOCORE

SUBJECTS OBSERVED
Invoice Order #CHOO1UHA Attached

SENDERS OBSERVED
dr2th@pshift.com

MALDOC FILE HASHES
#CHOO1UHA.iso
d0ea5ecfd59f7704114a91e85a697103

Contains:
#CHOO1.js
fac61c5e8f3026c1a1b63c21423a2701

#CHOO2.js
4fc18805b5686d320a0ccdab8438ed7e

SAMPLE1 - Vjw0rm
================
MALDOC FILE HASH
#CHOO1.js
fac61c5e8f3026c1a1b63c21423a2701

PAYLOAD FILE HASH
There was no payload download - everything was accomplished with the .js file.

VJW0RM C2
http://tdeasy.duckdns.org:6128/Vre

POST TRAFFIC TO C2
POST /Vre HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: vjw0rm_5C7A2FEE\WIN7PC\analyst\Microsoft Windows 7 Home Premium \undefined\\YES\FALSE\
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
Host: tdeasy.duckdns.org:6128
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

SAMPLE2 - Nanocore
==================
PAYLOAD DOWNLOAD URL
http://13.78.209.105/E/nano6129.exe

AppData\Local\Temp
nano6129.exe
4c342f040ad8b94e4f814e1f62e488ed

C2 TRAFFIC
nanoboss.duckdns.org:6129
23.102.1.5:6129


OPEN DIRECTORY
http://13.78.209.105/E/ 

OpenDir contains:
Nanocore (multiple files)
DC Rat (ClientDC.exe)
Netwire (Host.exe)
AsyncRat (Async7842.exe)

SUPPORTING EVIDENCE
https://tria.ge/211029-ry9tgsabgp
https://urlhaus.abuse.ch/url/1726893/
https://urlhaus.abuse.ch/url/1726894/
https://urlhaus.abuse.ch/url/1726907/