File name:	Payment-proof-270966-867AS.js
Full analysis:	https://app.any.run/tasks/f7d38077-fc62-4371-a58d-303a95fb1694
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. WSHRAT is a Remote Access Trojan — a malware that allows the attackers to take over the infected machines. The RAT has been in circulation since 2013 and it is arguably most notable for the numerous versions released into the wild. Malware Trends Tracker >>>
Analysis date:	May 21, 2025, 07:56:29
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	wshrat remote rat auto-startup asyncrat auto-reg netreactor
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (64342), with CRLF line terminators
MD5:	593A0880D28A1EF789797DE643A6D8A1
SHA1:	032897DCA15C145D7DC7D61B25DCA3B0A4C33080
SHA256:	4E70248F724F506EAE27284720B02F5DBA15FBBA54074C11AC32790DCC85C2A1
SSDEEP:	24576:8EL6Cpnun5uawwM3jpgod99DOnsOHxecBI:V6vn5EwK99ShXS


(PID) Process:	(7424) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:	write	Name:	JSFile
Value:
(PID) Process:	(7424) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 90C3100000000000
(PID) Process:	(7476) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	adobe
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\adobe.js"
(PID) Process:	(7592) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	adobe
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\adobe.js"
(PID) Process:	(7944) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	adobe
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\adobe.js"
(PID) Process:	(8008) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	adobe
Value: wscript.exe //B "C:\Users\admin\AppData\Roaming\adobe.js"
(PID) Process:	(7872) audiodg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	svchost
Value: "C:\Users\admin\AppData\Roaming\svchost.exe"

PID	Process	Filename		Type
7476	wscript.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adobe.js		text
		MD5:C3903DFF6A72D119EB6C6B9F451625E5	SHA256:4451E476918C8B6D02F2F4CB00548B55EB184256A3D96A3E243484273FDF65E0
7424	wscript.exe	C:\Users\admin\AppData\Local\Temp\svchost.js		text
		MD5:E75942EDB244EF2D3423911739A267E1	SHA256:A61962F133FB658836523727124031A73A2D11A3ED20E67E39017E208EC04A9D
7424	wscript.exe	C:\Users\admin\AppData\Local\Temp\adobe.js		text
		MD5:C3903DFF6A72D119EB6C6B9F451625E5	SHA256:4451E476918C8B6D02F2F4CB00548B55EB184256A3D96A3E243484273FDF65E0
7476	wscript.exe	C:\Users\admin\AppData\Roaming\adobe.js		text
		MD5:C3903DFF6A72D119EB6C6B9F451625E5	SHA256:4451E476918C8B6D02F2F4CB00548B55EB184256A3D96A3E243484273FDF65E0
7504	wscript.exe	C:\Users\admin\AppData\Local\Temp\audiodg.exe		executable
		MD5:58CE634EAD9737C3F90990F27D7B46A1	SHA256:56E94A95C329C4961505F0AD7EA8567502DB6F9611ECD268E33951A2FC56CB81
7872	audiodg.exe	C:\Users\admin\AppData\Local\Temp\tmp1922.tmp.bat		text
		MD5:6794EB37FBD715BC9B8EE37A1EC44960	SHA256:AC8EBE5028E186208EA0E081E30F0D7340CD61E90CF1937AFC08C504D1CC669A
7872	audiodg.exe	C:\Users\admin\AppData\Roaming\svchost.exe		executable
		MD5:58CE634EAD9737C3F90990F27D7B46A1	SHA256:56E94A95C329C4961505F0AD7EA8567502DB6F9611ECD268E33951A2FC56CB81

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7592	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
7592	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
7592	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
8008	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
4980	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4980	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7592	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
4980	SIHClient.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
8008	wscript.exe	POST	502	172.94.13.184:6144	http://riches20.freeddns.org:6144/is-ready	unknown	—	—	unknown
4980	SIHClient.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7592	wscript.exe	172.94.13.184:6144	riches20.freeddns.org	Voxility LLP	DE	malicious
8008	wscript.exe	172.94.13.184:6144	riches20.freeddns.org	Voxility LLP	DE	malicious
4980	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4980	SIHClient.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4980	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4980	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	142.250.181.238	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
riches20.freeddns.org	172.94.13.184	malicious
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
riches20.kozow.com	172.94.13.184	malicious
activation-v2.sls.microsoft.com	52.161.91.37	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.freeddns .org Domain
7592	wscript.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.freeddns .org Domain
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE WSHRAT CnC Checkin
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
7592	wscript.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.freeddns .org Domain
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE WSHRAT CnC Checkin
7592	wscript.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS HTTP Request to a *.freeddns .org Domain
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
7592	wscript.exe	Malware Command and Control Activity Detected	ET MALWARE WSHRAT CnC Checkin

General Info

Payment-proof-270966-867AS.js

593A0880D28A1EF789797DE643A6D8A1

032897DCA15C145D7DC7D61B25DCA3B0A4C33080

4E70248F724F506EAE27284720B02F5DBA15FBBA54074C11AC32790DCC85C2A1

24576:8EL6Cpnun5uawwM3jpgod99DOnsOHxecBI:V6vn5EwK99ShXS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Gets path to any of the special folders (SCRIPT)

Uses base64 encoding (SCRIPT)

Gets %appdata% folder path (SCRIPT)

Checks whether a specified folder exists (SCRIPT)

Accesses environment variables (SCRIPT)

Reads the value of a key from the registry (SCRIPT)

Creates a new registry key or changes the value of an existing one (SCRIPT)

Gets startup folder path (SCRIPT)

Detects the decoding of a binary file from Base64 (SCRIPT)

Modifies registry startup key (SCRIPT)

Create files in the Startup directory

Gets a file object corresponding to the file in a specified path (SCRIPT)

Executing a file with an untrusted certificate

Copies file to a new location (SCRIPT)

Creates internet connection object (SCRIPT)

Opens a text file (SCRIPT)

Opens an HTTP connection (SCRIPT)

Gets username (SCRIPT)

Accesses information about the status of the installed antivirus(Win32_AntivirusProduct) via WMI (SCRIPT)

Sends HTTP request (SCRIPT)

Connects to the CnC server

Uses sleep, probably for evasion detection (SCRIPT)

WSHRAT has been detected (SURICATA)

ASYNCRAT has been detected (MUTEX)

Changes the autorun value in the registry

ASYNCRAT has been detected (YARA)

SUSPICIOUS

The process executes JS scripts

Writes binary data to a Stream object (SCRIPT)

Creates FileSystem object to access computer's file system (SCRIPT)

Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

Creates XML DOM element (SCRIPT)

Script creates XML DOM node (SCRIPT)

Sets XML DOM element text (SCRIPT)

Application launched itself

Saves data to a binary file (SCRIPT)

Runs shell command (SCRIPT)

Gets name of the script (SCRIPT)

Gets full path of the running script (SCRIPT)

Executable content was dropped or overwritten

Gets a collection of all available drive names (SCRIPT)

Checks whether the drive is ready (SCRIPT)

Gets the drive type (SCRIPT)

Gets disk free space (SCRIPT)

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Gets computer name (SCRIPT)

Executes WMI query (SCRIPT)

Accesses local storage devices (Win32_LogicalDisk) via WMI (SCRIPT)

Accesses current user name via WMI (SCRIPT)

Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

Accesses computer name via WMI (SCRIPT)

Accesses operating system name via WMI (SCRIPT)

Accesses WMI object caption (SCRIPT)

Accesses WMI object display name (SCRIPT)

Accesses antivirus product name via WMI (SCRIPT)

Adds, changes, or deletes HTTP request header (SCRIPT)

Connects to unusual port

Contacting a server suspected of hosting an CnC

The process creates files with name similar to system file names

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

INFO

Auto-launch of the file from Startup directory

Self-termination (SCRIPT)

Checks supported languages

Reads the computer name