File name:

invoice-ID9411548.vbs

Full analysis: https://app.any.run/tasks/b7882987-7a33-4ac3-bd32-6126da319ff2
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: January 01, 2021, 14:39:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
asyncrat
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

F9E8A25600C4BC01018C470BF41324EA

SHA1:

19831C42BA73345E2B19499109754DBB0D39AAE7

SHA256:

6CAF398DD07A03DC116FA8562B0DAF0973D16309299CB9664D2EFBC82BDB3069

SSDEEP:

24:owSfpzJKZLQHmzS0f19RWaCJJN+nbAaJT+wdu+nAnAP87JKZnhYmualYpLumRZ6P:oLfpKQi9gzCd8GOHZqZT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 3964)
    • ASYNCRAT was detected

      • MSBuild.exe (PID: 2548)
  • SUSPICIOUS

    • Executes PowerShell scripts

      • WScript.exe (PID: 1808)
      • WScript.exe (PID: 1464)
    • Creates files in the user directory

      • powershell.exe (PID: 1036)
      • powershell.exe (PID: 3964)
    • Application launched itself

      • WScript.exe (PID: 1808)
    • Executes scripts

      • WScript.exe (PID: 1808)
  • INFO

    • Reads settings of System Certificates

      • powershell.exe (PID: 3964)
      • powershell.exe (PID: 1036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe wscript.exe no specs powershell.exe #ASYNCRAT msbuild.exe msbuild.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1808"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\invoice-ID9411548.vbs"C:\Windows\System32\WScript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3964"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\Opera.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1464"C:\Windows\System32\WScript.exe" "C:\Users\Public\Opera.vbs" C:\Windows\System32\WScript.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1036"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nologo -ExecutionPolicy Unrestricted -File C:\Users\Public\Opera.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2548"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.7.3062.0 built by: NET472REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2880"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
950
Read events
772
Write events
178
Delete events
0

Modification events

(PID) Process:(1808) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1808) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3964) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3964) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3964) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
0
Suspicious files
8
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3964powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6ZFJR1BENRL7416DG8Z0.temp
MD5:
SHA256:
1036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EYU8CTY4F5SAWSKPSZR5.temp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Cab7211.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Tar7212.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Cab7233.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Tar7234.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Cab732F.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Tar7330.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Cab73BD.tmp
MD5:
SHA256:
2548MSBuild.exeC:\Users\admin\AppData\Local\Temp\Tar73BE.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
8
DNS requests
4
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2548
MSBuild.exe
GET
200
8.253.204.121:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.5 Kb
whitelisted
2548
MSBuild.exe
GET
304
8.253.204.121:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3964
powershell.exe
207.241.227.115:443
ia601505.us.archive.org
Internet Archive
US
unknown
2548
MSBuild.exe
168.119.170.202:6666
saico015.linkpc.net
US
malicious
1036
powershell.exe
207.241.227.115:443
ia601505.us.archive.org
Internet Archive
US
unknown
1036
powershell.exe
207.241.227.122:443
ia601402.us.archive.org
Internet Archive
US
unknown
3964
powershell.exe
207.241.227.122:443
ia601402.us.archive.org
Internet Archive
US
unknown
2548
MSBuild.exe
8.253.204.121:80
www.download.windowsupdate.com
Global Crossing
US
malicious

DNS requests

Domain
IP
Reputation
ia601402.us.archive.org
  • 207.241.227.122
unknown
ia601505.us.archive.org
  • 207.241.227.115
unknown
saico015.linkpc.net
  • 168.119.170.202
malicious
www.download.windowsupdate.com
  • 8.253.204.121
  • 8.248.149.254
  • 8.253.204.120
  • 8.248.141.254
  • 67.26.137.254
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] AsyncRAT
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Possible AsyncRAT/Quasar SSL certificate
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)
A Network Trojan was detected
MALWARE [PTsecurity] AsyncRAT
A Network Trojan was detected
REMOTE [PTsecurity] AsyncRAT Connection
1 ETPRO signatures available at the full report
No debug info