asyncrat | 5e543b70f37c0851efd3d0883c82428c961164ed0d02c2a8ab024da7861ea802

General

Target

ORDER_25320_7587-86548.js
Size

563KB
MD5

ab0dac9d1b9b83383dbc5d469d5fa1ae
SHA1

b15b24f82ef0a07fce5b7c2735d8a8b46b547287
SHA256

398e3d3d2ad8e2e91693c1682780d2352ebe962b67547af5c20735ae97ea94a9
SHA512

66829799b8233f142aa1420f1e2dd4dfbdc3f2417279b12481d87612a0d97add61d819e58c369818ac201a4ba568e92d5fcd4b9ce17fb68332eeb5718f2f72fc
SSDEEP

3072:MCAFTI3Ws7WZ4hRPhts7YRw7Xx5FzNM6x/P0UHD2yQ/ry:MCAFs3F7WZIhe7nbDIxu

Score

10^/10

asyncrat wshrat march-25 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
WindowsUpdate.exe
install_folder
%Temp%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000024268-15.dat	family_asyncrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
2	3704	wscript.exe
25	3704	wscript.exe
26	3704	wscript.exe
27	3704	wscript.exe
32	3704	wscript.exe
44	3704	wscript.exe
46	3704	wscript.exe
47	3704	wscript.exe
48	3704	wscript.exe
49	3704	wscript.exe
50	3704	wscript.exe
57	3704	wscript.exe
58	3704	wscript.exe
59	3704	wscript.exe
60	3704	wscript.exe
64	3704	wscript.exe
65	3704	wscript.exe
69	3704	wscript.exe
70	3704	wscript.exe
71	3704	wscript.exe
72	3704	wscript.exe
73	3704	wscript.exe
74	3704	wscript.exe
75	3704	wscript.exe
76	3704	wscript.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	RDo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
4104	RDo.exe
4796	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\adobe.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5648	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
440	schtasks.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	69	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	74	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	76	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	32	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	44	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	46	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	47	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	58	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	59	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	73	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	75	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	26	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	27	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	48	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	49	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	50	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	57	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	64	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	71	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	2	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	60	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	65	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	70	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript
HTTP User-Agent header	72	WSHRAT\|BC96689D\|OGKBCMNR\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 19/3/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe
4104	RDo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	RDo.exe
Token: SeDebugPrivilege	4796	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4548	2872	wscript.exe	85
PID 2872 wrote to memory of 4548	2872	wscript.exe	85
PID 2872 wrote to memory of 2668	2872	wscript.exe	86
PID 2872 wrote to memory of 2668	2872	wscript.exe	86
PID 4548 wrote to memory of 3704	4548	WScript.exe	87
PID 4548 wrote to memory of 3704	4548	WScript.exe	87
PID 2668 wrote to memory of 4104	2668	WScript.exe	88
PID 2668 wrote to memory of 4104	2668	WScript.exe	88
PID 2668 wrote to memory of 4104	2668	WScript.exe	88
PID 4104 wrote to memory of 4608	4104	RDo.exe	93
PID 4104 wrote to memory of 4608	4104	RDo.exe	93
PID 4104 wrote to memory of 4608	4104	RDo.exe	93
PID 4104 wrote to memory of 4700	4104	RDo.exe	95
PID 4104 wrote to memory of 4700	4104	RDo.exe	95
PID 4104 wrote to memory of 4700	4104	RDo.exe	95
PID 4608 wrote to memory of 440	4608	cmd.exe	97
PID 4608 wrote to memory of 440	4608	cmd.exe	97
PID 4608 wrote to memory of 440	4608	cmd.exe	97
PID 4700 wrote to memory of 5648	4700	cmd.exe	98
PID 4700 wrote to memory of 5648	4700	cmd.exe	98
PID 4700 wrote to memory of 5648	4700	cmd.exe	98
PID 4700 wrote to memory of 4796	4700	cmd.exe	99
PID 4700 wrote to memory of 4796	4700	cmd.exe	99
PID 4700 wrote to memory of 4796	4700	cmd.exe	99

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_25320_7587-86548.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4548
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\adobe.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:3704
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\RDo.exe
    "C:\Users\Admin\AppData\Local\Temp\RDo.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WindowsUpdate" /tr '"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5648
    - - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RDo.exe

Filesize
45KB

MD5
7e54eec2d10957178e6410ba1c899c21

SHA1
9f79b7ef7b24933b0b106a387fbf5834863dbc78

SHA256
d7d374d650d362b4a859f526189cda7ecdef9b0ee60267a1c65c3a9e1bcfd0f8

SHA512
e7cec2a67334c72e6476adb53bcb6de575f7c9513a49f0be7a7f6fb00b23ac070335b734631f024c411293cb09d0faa89bf7017837d65f5188884eabf853dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
305KB

MD5
294f1f4ee9bd1a410379ccc7430c7a69

SHA1
02436fc31c5fa37c3735dcff0f450c20e302e7a2

SHA256
f0cc3f5f26302ba2cd290d11052a42b4adc5401b953439d49723b666ac100187

SHA512
8a87e29348ef3bd4c1847a65ef9ffabedba4f51504512819df396123d90e7bf8e1b3e7edb1e4e33419a8d309e47cbaa2f7c3a9f387f6d987cedc4e048d479abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5573.tmp.bat

Filesize
160B

MD5
9792c5575e819d65f478b79a951e7f79

SHA1
47d7a9042c9443370e5b675c70421ce793018757

SHA256
0e128660f15455668479ffb42a99b2e5ca8fd0372b5ec7ee3538655384c72888

SHA512
8bcee871735b861b9e4c86c370fbf1b419886b4504c39a5285f10270ce81f7f51fb4009b1f3eb54d075313a88c99b76fc8764f678cfd8ec224aae52341075d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
82KB

MD5
33d6e875441823e698ea8b8c4739dfd4

SHA1
a446695785e38522c923a5340e43c236ac332616

SHA256
32e6e9765b2e1e18699fdcc2817137b22f893457e2a10ae3f66081dd58f811ce

SHA512
633a462dba83497be30c969c1c637f144e1ff2bc741687326a53604bce93dd80af12acb49e546942978a2e629d6811b8612cd1362af5d41921ddae59b38977d2

Download Submit
memory/4104-25-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/4104-26-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/4796-36-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/4796-37-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads