asyncrat | 90be7f135593d0c2ca271a5e01a3c4c45f0c40540b88488409c0329bfa6b360c | Triage

Sharing

General

Target

02042025_0630_ORDER-695663-OO254318.js.iso
Size

624KB
Sample

250402-g9we5avqz8
MD5

a6a1e7a3d8e0c5ca3d8272f08ff5e757
SHA1

f8269d3809d01bf0341e715a5f624b071f135bcc
SHA256

90be7f135593d0c2ca271a5e01a3c4c45f0c40540b88488409c0329bfa6b360c
SHA512

17ce884826adf968f0ea5ea0bd1a24385da9d875ff8dded84bafb897abbdafa8502a2a9b144a9bd29e927cff5cf847e2bdfd5e5ff337c38a37f238d79dd1d105
SSDEEP

6144:LivcBxisYZEXRog9zS16WF37JUBfGSZDM:LNRYSCIzS0O3dUBVQ

Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

March-25-5

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

umarmira055.duckdns.org:2703

umarmira055.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

wshrat

C2

http://chongmei33.myddns.rocks:7045

Targets

- Target
  
  ORDER-695663-OO254318.js
- Size
  
  563KB
- MD5
  
  cb870a9367b7dba2141abf3a067592ec
- SHA1
  
  223570f201a79c3412eeee0b0a2225ded3f4e198
- SHA256
  
  7bbb3b5cc257f954203a6ead2bb941b09666acff08275fd91648799b157ca122
- SHA512
  
  0734fbfb61aa814f1fff537729ee28da83f74d82a4f5ee2aab9c1c4dfa179124ac17ad8d254af0e0fa445faeac515bf542b17fe47565dfe3cf8db037479ce57d
- SSDEEP
  
  6144:1ivcBxisYZEXRog9zS16WF37JUBfGSZDMX:1NRYSCIzS0O3dUBVQX
Score

10^/10

asyncrat wshrat march-25-5 discovery execution persistence rat trojan
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Wshrat family
  wshrat
- Async RAT payload
  rat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

asyncratwshratmarch-25-5discoveryexecutionpersistencerattrojan