Overview

overview

10

Static

static

1

ORDER_2538...DF.rar

windows7-x64

1

ORDER_2538...DF.rar

windows10-2004-x64

1

ORDER_2538...PDF.js

windows7-x64

10

ORDER_2538...PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    90s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/03/2025, 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER_253890-5645FD.PDF.js

  • Size

    535KB

  • MD5

    930368ea6f7cd3ed52e3c11ce5a8b84b

  • SHA1

    14205534d961366b4b5650a0bd751366d40e812d

  • SHA256

    890ff9e6467fd6f448189cc6cf0e0f048d116b8fd289cacc6460215702b7b45e

  • SHA512

    5bc116514e447a9edb47c85aa70a2f900241e3920bd8bacf374c78ee6caaa46c4525b7077ca44a69790b21189d48ae74efdd7993db1d728d09c419706c7db629

  • SSDEEP

    3072:vMRy93zMk/wFRTiNy49mDvVHq07vg6fwTuP1c3TS:o82T8UJ7vg6fS0Se

Score
10/10
asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7044

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Wshrat family
    wshrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 6 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 20 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER_253890-5645FD.PDF.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\audiodg.js"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\audiodg.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:2140
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\Sgj.exe
        "C:\Users\Admin\AppData\Local\Temp\Sgj.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2992
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat""
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2556
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:2548
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2328
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:604
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1348
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1864
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    PID:1536

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Sgj.exe
    Filesize

    45KB

    MD5

    ece45103465f781d48cdc41a19e7d9cc

    SHA1

    d7025037bdf2bfb09b3797443ae00d8dbddd4eb7

    SHA256

    bb6af8f4ac8ab6c14b159b578a5097ad5d7827751230595dd3b2a3c767f3d869

    SHA512

    4e14419240dbd8ebba468afddf48a70df9d6a55ceaa149eb5873d99aac32eb0aaa5e536791db88d0bdd908eeab6b89d8901687be868ff3b9b0a0b841333f6b15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\audiodg.js
    Filesize

    283KB

    MD5

    3ec7efca47f4105ce048b914d78e83d4

    SHA1

    33e942be440c609e005402bc33202aa6d6e77356

    SHA256

    82a498f04739913010ea3bd9b3137a686a5f8bdeb45e3a7d74613ce7e52f7885

    SHA512

    15ac7476f3bc9af427d30a0652b1d6618bae4076fdd59533754ebdb3234f89d2b9df893b715f7757e2e71eaf208b052d80bd707403e720b15e805c16c503eb32

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpAF43.tmp.bat
    Filesize

    151B

    MD5

    7c1eaac7876caa65aee10a7626d53ccf

    SHA1

    9227145f666d3551eb5aec34328a63e12ee4b9c8

    SHA256

    95185c19975cbfb3af5e1c4d2944787dd89be72fb84319dd3a81bb92317ab6bd

    SHA512

    c9bfeaeaa5b93c0a7e9a07b2127446691fad86b1e9067322fbb9ea8c75356bed22a570c61dd8d034b9891f9438cb2bc8b50fd512ed95f834ebf5888a4bc9f795

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\word.js
    Filesize

    82KB

    MD5

    795dba1c09091b137e2450186b18a7d5

    SHA1

    313ce45b6aa0fd09fbf904178d214c9fe5096dd4

    SHA256

    0e780ba89b45b86e561d4dcfa1ed00f253cbc9e98e36b0d12ac89c438dfe9723

    SHA512

    e4096c66e13626bead3386294adf3c97464bc2e2f43bb37e65f200a0d16d4ceb5950ee5e4f05c8a6fb8ed5ca3ec4e3bc5b35ea271d212d172a040966a6946620

    Download Submit

  • memory/604-35-0x0000000004690000-0x0000000004691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1452-20-0x00000000012A0000-0x00000000012B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1864-63-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2328-33-0x0000000000940000-0x0000000000952000-memory.dmp

    Filesize

    72KB

    Download