File name:	StatementNumber#vfnwfrsysl.wsf
Full analysis:	https://app.any.run/tasks/24494137-79d6-47f1-ab50-16844ecab24b
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 12, 2024, 17:26:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rat asyncrat remote
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text, with very long lines (4923)
MD5:	41895B624BC77C2921E6E1BEBE1B6CED
SHA1:	E920FB9EC50C2EC43591BD2D8C99B6E6D70270B5
SHA256:	C5C76A901DFE2FE33A01F3D1E3B3F82C99A5B0E4898E1B78B76AC6E7A48E5419
SSDEEP:	384:UIvIvIvIvIvIvIvIvIvIvIvIgIvIvIvIvIvIvIvIvIvIvIvIrIvIvIvIvIvIvIvr:Q


(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5924) wscript.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3888) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3888) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3888) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

PID	Process	Filename		Type
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_are4b00l.adn.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aow4hdg3.xxx.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ylofaa.rug.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5924	wscript.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\D9H4GX35\g4[1].txt		text
		MD5:8471B9F9D9E51433F25D31823A43A59C	SHA256:14B1DD86E80AD1148017CDA4DCDAF6CD03CC3487722FA1EE1C36C4B54AC425B1
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ecocbi04.mox.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_04hjhqen.haw.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uluwfezl.rok.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888	powershell.exe	C:\Users\Public\method.dll		text
		MD5:38B97710070DBDD7B3359C0D52DA4A72	SHA256:675F06AF4E7F254D55AC605BBD7DA45D9E00207A97F8A8AB7BB747D512776BC7
3888	powershell.exe	C:\Users\Public\msg.dll		text
		MD5:A4BFB12DBF9DA83178AE54E82BA3A432	SHA256:27D5BD8CB077905BE7AB576F344C27F140B5585EF471F68638A8791C07FDA0CE
3888	powershell.exe	C:\Users\Public\load.dll		text
		MD5:F19DBF2EDB3A0BD74B0524D960FF21EB	SHA256:8A6BDB6B18DA586FE7F2ACBD8F1055533F2CD97A3681B3652BCD712224DF45C3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2420	svchost.exe	GET	200	37.1.214.209:80	http://newhost.dyndns.info/f.jpg	unknown	compressed	223 Kb	unknown
5924	wscript.exe	GET	200	37.1.214.209:80	http://37.1.214.209/g4.txt	unknown	text	546 b	unknown
2420	svchost.exe	HEAD	200	37.1.214.209:80	http://newhost.dyndns.info/f.jpg	unknown	—	—	unknown
5476	msedge.exe	GET	200	37.1.214.209:80	http://newhost.dyndns.info/f.jpg	unknown	compressed	223 Kb	unknown
5476	msedge.exe	GET	204	13.107.6.158:80	http://edge-http.microsoft.com/captiveportal/generate_204	unknown	—	—	unknown
6244	curl.exe	GET	200	37.1.214.209:80	http://newhost.dyndns.info/f.jpg	unknown	compressed	223 Kb	unknown
5476	msedge.exe	GET	200	37.1.214.209:80	http://newhost.dyndns.info/favicon.ico	unknown	image	30.1 Kb	unknown
4128	CompatTelRunner.exe	GET	200	2.18.97.123:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl	unknown	binary	564 b	unknown
2592	wermgr.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.01 Kb	unknown
4128	CompatTelRunner.exe	GET	200	88.221.110.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	binary	824 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5924	wscript.exe	37.1.214.209:80	newhost.dyndns.info	HVC-AS	US	unknown
2592	wermgr.exe	52.182.143.212:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2592	wermgr.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
3012	svchost.exe	239.255.255.250:1900	—	—	—	unknown
2592	wermgr.exe	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	unknown
2592	wermgr.exe	20.189.173.20:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2420	svchost.exe	37.1.214.209:80	newhost.dyndns.info	HVC-AS	US	unknown
2420	svchost.exe	104.20.23.46:443	nodejs.org	CLOUDFLARENET	—	shared
2592	wermgr.exe	20.42.65.92:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown

Domain	IP	Reputation
crl.microsoft.com	2.16.241.12 2.16.241.19 88.221.110.114 88.221.110.122	whitelisted
www.microsoft.com	23.218.209.163 2.18.97.123	whitelisted
umwatson.events.data.microsoft.com	20.189.173.20 20.42.65.92	whitelisted
newhost.dyndns.info	37.1.214.209	unknown
nodejs.org	104.20.23.46 104.20.22.46	whitelisted
self.events.data.microsoft.com	20.42.65.89	whitelisted
ntp.msn.com	204.79.197.203	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge-http.microsoft.com	13.107.6.158	whitelisted
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted

PID	Process	Class	Message
5924	wscript.exe	A Network Trojan was detected	SUSPICIOUS [ANY.RUN] VBS is used to run Shell
—	—	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain
—	—	Misc activity	AV INFO DYNAMIC_DNS Query to *.dyndns. Domain
—	—	Misc activity	ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
2420	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS HTTP Request to a .dyndns. domain
2420	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain
2420	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain
2420	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS HTTP Request to a .dyndns. domain
—	—	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain
—	—	Misc activity	AV INFO DYNAMIC_DNS Query to *.dyndns. Domain

General Info

StatementNumber#vfnwfrsysl.wsf

41895B624BC77C2921E6E1BEBE1B6CED

E920FB9EC50C2EC43591BD2D8C99B6E6D70270B5

C5C76A901DFE2FE33A01F3D1E3B3F82C99A5B0E4898E1B78B76AC6E7A48E5419

384:UIvIvIvIvIvIvIvIvIvIvIvIgIvIvIvIvIvIvIvIvIvIvIvIrIvIvIvIvIvIvIvr:Q

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Unusual connection from system programs

Scans artifacts that could help determine the target

Probably downloads file via BitsAdmin

ASYNCRAT has been detected (SURICATA)

SUSPICIOUS

The process executes VB scripts

Starts POWERSHELL.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

Application launched itself

Reads security settings of Internet Explorer

The process executes Powershell scripts

INFO

Checks proxy server information

Manual execution by a user

Application launched itself

Reads Microsoft Office registry keys

Checks supported languages

Reads the computer name

Reads security settings of Internet Explorer

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings