MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AsyncRAT

Vendor detections: 9

Maldoc score: 11

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed
SHA3-384 hash:	cbfe274854de4ddcbde88b7036c1feaa5d1afc2f1cf39118100cf5a9dc80e16c40e811368a01b2facbf6b4a79a330838
SHA1 hash:	95e69dffccc8c93611de153fd9993faefc4b0f5f
MD5 hash:	fddb915231bd05bdb40250bd9ca9327a
humanhash:	fix-jersey-sweet-finch
File name:	ORDER 002110109A.xlsm
Download:	download sample
Signature	AsyncRAT Create hunting rule
File size:	397'742 bytes
First seen:	2021-10-10 11:47:29 UTC
Last seen:	2021-10-10 13:02:04 UTC
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	12288:r7Tjtsfs/76kiLn7AcCkNNmONeWR9yymNk4:r7Fyy76kir7JC4LNegky8L
TLSH	T1B084025ACFAB00C6C28BA5749209E856C01AF802940DEB773DA48F6D85979D4537FECF
Reporter	abuse_ch
Tags:	AsyncRAT RAT xlsm

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id

Maldoc score: 11

OLE dump

MalwareBazaar was able to identify 19 sections in this file using oledump:

Section ID	Section size	Section name
A1	1102 bytes	PROJECT
A2	335 bytes	PROJECTwm
A3	173 bytes	VBA/Learn more
A4	172 bytes	VBA/Sheet10
A5	178 bytes	VBA/Sheet11
A6	169 bytes	VBA/Sheet2
A7	170 bytes	VBA/Sheet3
A8	171 bytes	VBA/Sheet4
A9	173 bytes	VBA/Sheet5
A10	180 bytes	VBA/Sheet6
A11	171 bytes	VBA/Sheet7
A12	177 bytes	VBA/Sheet8
A13	173 bytes	VBA/Sheet9
A14	168 bytes	VBA/Start
A15	1096 bytes	VBA/ThisWorkbook
A16	171 bytes	VBA/Workbook
A17	7 bytes	VBA/_VBA_PROJECT
A18	452 bytes	VBA/dir

OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

Type	Keyword	Description
AutoExec	Workbook_Activate	Runs when the Excel Workbook is opened
IOC	ershell.exe	Executable file name
IOC	Wzjokpltbfr.bat	Executable file name
Suspicious	Open	May open a file
Suspicious	Output	May write to a file (if combined with Open)
Suspicious	Shell	May run an executable file or a system command
Suspicious	Hex Strings	Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)
Suspicious	Base64 Strings	Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ORDER 002110109A.xlsm

Verdict:

No threats detected

Analysis date:

2021-10-10 11:48:56 UTC

Tags:

macros macros-on-open

Link:

https://app.any.run/tasks/fea4d740-a852-4455-b390-4d4dcafbdca8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196367/

Detection(s):

SecuriteInfo.com.VBA.Heur.ObfDldr.26.F833788E.Gen.4432.17688.UNOFFICIAL

Result

Verdict:

Malicious

File Type:

Excel File with Macro

Link:

https://app.docguard.net/06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed/results/dashboard

Document image

Image:

Download PNG

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd macros macros-on-open packed powershell

Link:

https://www.filescan.io/uploads/6162d2f49fb4d8593d607d41/reports/886eac10-48f9-4611-b77d-a0d286fc3fd3/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed/

Threat name:

Document-Office.Downloader.Donoff

Status:

Malicious

First seen:

2021-10-10 10:49:42 UTC

AV detection:

7 of 28 (25.00%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=a3rchozk6dqa4pc4puvak5haz5uxc34cimtgkiq5jh3cvbqtwxwq._file

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat macro persistence rat

Link:

https://tria.ge/reports/211010-nyfc4afge3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetThreadContext

Adds Run key to start application

Deletes itself

Loads dropped DLL

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Async RAT payload

AsyncRat

Process spawned unexpected child process

Malware Config

Dropper Extraction:

http://transfer.sh/get/ii6Fqb/word.exe

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/06e223bb2af0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/06e223bb2af0e00e3c5c7d2a0574e0cf69716f82432665221d49f62a8613b5ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

URLhaus

https://urlhaus.abuse.ch/url/1663348/

Cape

https://www.capesandbox.com/analysis/196367/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample