Overview

overview

10

Static

static

1

06c0c2bfc8...d43.js

windows7-x64

10

06c0c2bfc8...d43.js

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2025, 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js

  • Size

    7KB

  • MD5

    8016106a0f300b92e1228bc05c27bdd1

  • SHA1

    10035c10b4d8fe09868675540f59fa1432aa0ee0

  • SHA256

    06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43

  • SHA512

    1625dc364ae65ecb3468823f51ceef4013e5cb938e073a08bff228c7a03a158868780455faac25788720ff43a27786d59cefdcddeb1cc9aa732a19cf9b061627

  • SSDEEP

    96:0SloqevS78QHjtM787Ljr7wetMkejf8QHjtMTpOcfObeqfOb/77XpGaq8QHjtMqH:kQ+tofSP6l4rF

Score
10/10
asyncratwshratmarch-25-3discoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-3

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Wshrat family
    wshrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
        3⤵
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:2752
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\voau.exe
          "C:\Users\Admin\AppData\Local\Temp\voau.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2792
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2768
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1740
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDB13.tmp.bat""
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2680
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2208
            • C:\Users\Admin\AppData\Roaming\svchost.exe
              "C:\Users\Admin\AppData\Roaming\svchost.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js
    Filesize

    3.6MB

    MD5

    f1de7f0470e2222ec15f723328552060

    SHA1

    b91f0dd237e42c86ff2dc9e0703f2c28fc883cc0

    SHA256

    91b1a960d4812961796fbaf4b68877d0572690c8c61077a6136e5d3353e15322

    SHA512

    7f8ab3e7fc45d1e6af8d97b659d57ef8dbbdbe0520b431bc74d7e863c7fb616bbfacf32b95d8bb3d1e5a3f8a189c4e3cb99fa1244cdd0ba9132c3a9a9275dece

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\audiodg.js
    Filesize

    262KB

    MD5

    8e0fdb9701abffda2a79eaeddb1c1427

    SHA1

    5b5b6cea3cf292164ebdf876e51b60ba5693b1eb

    SHA256

    5c0cf9e91145d26bbdfc0139cd76e1f8c4d2871870bd990caa15b1d812f1b0ca

    SHA512

    caca005e62bb300a5b283e6b6e77c49c69df9e0a05a63bfb91a3110d670d06deedcaf23f5842444e1c889cff6ad46baf802ebac1f5f2d23075c1b096ff1f604e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDB13.tmp.bat
    Filesize

    151B

    MD5

    fd68182680dd2041522311e8fdd7b5bd

    SHA1

    35b418594b725541d65f00fc121a3788c1d91cac

    SHA256

    1e7c6d89f2ba1d2f18e6b390b36459c2b89eb2fdaba65e92f62f75a4075b1d3f

    SHA512

    3ff9555ad4bfc91a6ab6531a109b9961c9b702b7fe3db46168928109334acf6043444f3d48eed0316999cdeeb80185aaaebb1719ca211b8c973bb366b3e381cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\voau.exe
    Filesize

    187KB

    MD5

    47d0cafc6e4b4d441bdc69eee3412b03

    SHA1

    437215d662e966b7856892124e2ba9c29f00f847

    SHA256

    0c529b0a3dd07b3ff191fe79f7381ff145987dba1b0ff5a61c0ef2f23e3bcc81

    SHA512

    47845fe65dcea889a4bf42f0fb0bfcdda5279a5c65707141c81088ca494f6151f40b03bae7cc731625b715bfc09787ae3c45c7788a37c95167e66ae4346d2e0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\word.js
    Filesize

    2.4MB

    MD5

    5b2373801f840f7664798ce88d0d6769

    SHA1

    d603836aea5d5ccfea8c2c1868245a4195fa0e0e

    SHA256

    0853c14e5b450f4eeae8e1ac00a84b4fafa7ec84753e23c48e8febd7622eed1d

    SHA512

    16d7c4fa086219ff3360cf292233a64a86a14bf5656bf845c3d914bfd215598024c1dde21fda7089e02ea50bfd17fb5f157dd17aaa85d12491f6a555d918facf

    Download Submit

  • memory/2792-27-0x0000000000020000-0x0000000000033000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-26-0x0000000000020000-0x0000000000033000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2792-28-0x0000000000550000-0x0000000000562000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2792-38-0x0000000001040000-0x0000000001075000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2904-46-0x0000000000170000-0x00000000001A5000-memory.dmp

    Filesize

    212KB

    Download