asyncrat | 06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43

General

Target

06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js
Size

7KB
MD5

8016106a0f300b92e1228bc05c27bdd1
SHA1

10035c10b4d8fe09868675540f59fa1432aa0ee0
SHA256

06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43
SHA512

1625dc364ae65ecb3468823f51ceef4013e5cb938e073a08bff228c7a03a158868780455faac25788720ff43a27786d59cefdcddeb1cc9aa732a19cf9b061627
SSDEEP

96:0SloqevS78QHjtM787Ljr7wetMkejf8QHjtMTpOcfObeqfOb/77XpGaq8QHjtMqH:kQ+tofSP6l4rF

Score

10^/10

asyncrat wshrat march-25-3 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-3

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/5156-28-0x0000000003180000-0x0000000003192000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	3300	wscript.exe
32	1252	wscript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	voau.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\audiodg.js	wscript.exe

Executes dropped EXE 2 IoCs

pid	Process
5156	voau.exe
856	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\audiodg.js\""	wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	voau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1644	timeout.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5516	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	32	WSHRAT\|AAF9C3A7\|ELDOIJJI\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 25/3/2025\|JavaScript

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe
5156	voau.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5156	voau.exe
Token: SeDebugPrivilege	856	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1960	3300	wscript.exe	98
PID 3300 wrote to memory of 1960	3300	wscript.exe	98
PID 1960 wrote to memory of 5376	1960	WScript.exe	99
PID 1960 wrote to memory of 5376	1960	WScript.exe	99
PID 1960 wrote to memory of 4028	1960	WScript.exe	100
PID 1960 wrote to memory of 4028	1960	WScript.exe	100
PID 5376 wrote to memory of 1252	5376	WScript.exe	101
PID 5376 wrote to memory of 1252	5376	WScript.exe	101
PID 4028 wrote to memory of 5156	4028	WScript.exe	102
PID 4028 wrote to memory of 5156	4028	WScript.exe	102
PID 4028 wrote to memory of 5156	4028	WScript.exe	102
PID 5156 wrote to memory of 5176	5156	voau.exe	103
PID 5156 wrote to memory of 5176	5156	voau.exe	103
PID 5156 wrote to memory of 5176	5156	voau.exe	103
PID 5156 wrote to memory of 4316	5156	voau.exe	105
PID 5156 wrote to memory of 4316	5156	voau.exe	105
PID 5156 wrote to memory of 4316	5156	voau.exe	105
PID 5176 wrote to memory of 5516	5176	cmd.exe	107
PID 5176 wrote to memory of 5516	5176	cmd.exe	107
PID 5176 wrote to memory of 5516	5176	cmd.exe	107
PID 4316 wrote to memory of 1644	4316	cmd.exe	108
PID 4316 wrote to memory of 1644	4316	cmd.exe	108
PID 4316 wrote to memory of 1644	4316	cmd.exe	108
PID 4316 wrote to memory of 856	4316	cmd.exe	113
PID 4316 wrote to memory of 856	4316	cmd.exe	113
PID 4316 wrote to memory of 856	4316	cmd.exe	113

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\06c0c2bfc88f5e4b30de9b11c8c7995123d5366503a83c4fe45f6458164e4d43.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5376
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:1252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Users\Admin\AppData\Local\Temp\voau.exe
      "C:\Users\Admin\AppData\Local\Temp\voau.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5176
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C29.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1644
      - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZOYZSE.js

Filesize
3.6MB

MD5
f1de7f0470e2222ec15f723328552060

SHA1
b91f0dd237e42c86ff2dc9e0703f2c28fc883cc0

SHA256
91b1a960d4812961796fbaf4b68877d0572690c8c61077a6136e5d3353e15322

SHA512
7f8ab3e7fc45d1e6af8d97b659d57ef8dbbdbe0520b431bc74d7e863c7fb616bbfacf32b95d8bb3d1e5a3f8a189c4e3cb99fa1244cdd0ba9132c3a9a9275dece

Download Submit
C:\Users\Admin\AppData\Local\Temp\audiodg.js

Filesize
262KB

MD5
8e0fdb9701abffda2a79eaeddb1c1427

SHA1
5b5b6cea3cf292164ebdf876e51b60ba5693b1eb

SHA256
5c0cf9e91145d26bbdfc0139cd76e1f8c4d2871870bd990caa15b1d812f1b0ca

SHA512
caca005e62bb300a5b283e6b6e77c49c69df9e0a05a63bfb91a3110d670d06deedcaf23f5842444e1c889cff6ad46baf802ebac1f5f2d23075c1b096ff1f604e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3C29.tmp.bat

Filesize
151B

MD5
bd2d7c42d26dd44744ca185dd9acc385

SHA1
055a1f83f8702934d955f5007e534019a0bf98f6

SHA256
47ab85594f91da25844b35d4bed4ca53c4901bc1872123312428d8223cb70491

SHA512
7c2c0af57bd4b06aed1830a1a978d63c1846173687a3da6257ab1502e910e634263cfff8d004de8f24ebe68e9cf006b32e1fff94d3ac3c83170e011c41d58b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\voau.exe

Filesize
187KB

MD5
47d0cafc6e4b4d441bdc69eee3412b03

SHA1
437215d662e966b7856892124e2ba9c29f00f847

SHA256
0c529b0a3dd07b3ff191fe79f7381ff145987dba1b0ff5a61c0ef2f23e3bcc81

SHA512
47845fe65dcea889a4bf42f0fb0bfcdda5279a5c65707141c81088ca494f6151f40b03bae7cc731625b715bfc09787ae3c45c7788a37c95167e66ae4346d2e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
2.4MB

MD5
5b2373801f840f7664798ce88d0d6769

SHA1
d603836aea5d5ccfea8c2c1868245a4195fa0e0e

SHA256
0853c14e5b450f4eeae8e1ac00a84b4fafa7ec84753e23c48e8febd7622eed1d

SHA512
16d7c4fa086219ff3360cf292233a64a86a14bf5656bf845c3d914bfd215598024c1dde21fda7089e02ea50bfd17fb5f157dd17aaa85d12491f6a555d918facf

Download Submit
memory/856-42-0x0000000006FB0000-0x0000000007554000-memory.dmp

Filesize
5.6MB

Download
memory/856-43-0x0000000006650000-0x00000000066B6000-memory.dmp

Filesize
408KB

Download
memory/856-44-0x0000000000D00000-0x0000000000D35000-memory.dmp

Filesize
212KB

Download
memory/5156-27-0x0000000000A70000-0x0000000000A83000-memory.dmp

Filesize
76KB

Download
memory/5156-28-0x0000000003180000-0x0000000003192000-memory.dmp

Filesize
72KB

Download
memory/5156-29-0x0000000005A50000-0x0000000005AEC000-memory.dmp

Filesize
624KB

Download
memory/5156-34-0x00000000009F0000-0x0000000000A25000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads