2024-08-29 ASYNCRAT Samples
2024
eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf
file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file.
This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe
process using a DLL to further evade detection.
Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system.
Download. Email me if you need the password scheme.
File Information
├── 29b4af288f1bb75da4df5cbf00033c68df1fee656433cb99726f16de8c2b55f1 uzopuzbkrpcziwca txt
├── 5768a2bfeaa935af64b66bec24cc4d35c7919e1317daa072f8902a7354f3bf8d WJVIQQFZMZLSZTJJ bat
├── 5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd NewPE2 dll
├── 7d91feeb19c895927012f56d9502ba8a9345ff955adc7d20f2e3a660a029769e SummaryForm wsf
├── 82dcc44da4b3454291a1d846414efde776b51bf2d30406cb9aa5bac020b0c4c5 AsyncRAT
├── ab2bef5c63ac65904386a02f4c7d9bbceaafa3763aceef24fd7981ca993006a4 CEIULUDEZFCEVSMM bat
├── b8631fd49a327589f97232eefc14bec144ef6fdd43d3d79ce9fab3adf8067221 IRUAHCKDFAFDCHUV vbs
├── c351fafa32e9c2e91a514c10fa8097da0f837c2a4bfcbac0e899f5780fd8b69a YXRPNPSMGCOBEURV ps1
└── d381eeba306533d765ae541fcb737f408abbeeed2f15ae1b1c678adde3960d31 lAOdPuUqwXLVFvqT jpg