MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 8


Maldoc score: 9


Intelligence 8 IOCs 1 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259
SHA3-384 hash: d0e4c90f2d48532d89de06d8291a70d12eaf5a51781f155660e31fbba0877663b81f65f2ba05190a167be2d8df7b75b9
SHA1 hash: 49b69135f5fd6e59ae61a49106220fb7c5df7d4c
MD5 hash: 82424a0b96ac5b556b93b46432422ff8
humanhash: island-august-crazy-alanine
File name:Payment Slip.xlsb
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:46'595 bytes
First seen:2021-07-03 06:01:06 UTC
Last seen:2021-07-03 06:54:50 UTC
File type:Excel file xlsx
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 768:y6kOiCQWuVLYAz4PQTctJCBoju8Yvcinc9pRn3Ttyyyyyyyyyyyyyyyyyyyyy/Wa:ymiCKLrDoFjpXic9n3Ttyyyyyyyyyyyf
TLSH BC23AE86F2C86D74DD6CE93D6C1E4C2018A31358A788A78658AF8F1D3D3B7C76B4205E
Reporter abuse_ch
Tags:AsyncRAT RAT xlsb xlsx


Avatar
abuse_ch
AsyncRAT C2:
172.94.109.19:2703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.94.109.19:2703 https://threatfox.abuse.ch/ioc/157357/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 12 sections in this file using oledump:

Section IDSection sizeSection name
A1455 bytesPROJECT
A286 bytesPROJECTwm
A3991 bytesVBA/Sheet1
A41357 bytesVBA/ThisWorkbook
A52818 bytesVBA/_VBA_PROJECT
A61621 bytesVBA/__SRP_0
A7180 bytesVBA/__SRP_1
A8266 bytesVBA/__SRP_2
A9284 bytesVBA/__SRP_3
A10569 bytesVBA/dir
A118431 bytesVBA/otbvjki
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousRunMay run an executable file or a system command
SuspiciousCreateObjectMay create an OLE object
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Slip.xlsb
Verdict:
No threats detected
Analysis date:
2021-07-03 06:13:31 UTC
Tags:
macros macros-on-open generated-doc
Link:
https://app.any.run/tasks/67dcd462-9bd1-4bc4-a071-26490f196415

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Legit
File type:
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169449/
Detection(s):
MiscreantPunch.EvilMacro.PSHELLFromB64w.6.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.WSHCROVARCHRMATHLONGGONE.20200524.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DOCXRSTRGOOD._IEX.210408B64.4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811330
Signature
Allocates memory in foreign processes
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for sample
Obfuscated command line found
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Cmdline
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Very long command line found
Writes to foreign memory regions
Yara detected AsyncRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 443746 Sample: Payment Slip.xlsb Startdate: 03/07/2021 Architecture: WINDOWS Score: 100 54 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->54 56 Yara detected AsyncRAT 2->56 58 Obfuscated command line found 2->58 60 9 other signatures 2->60 9 EXCEL.EXE 26 23 2->9         started        14 adobe.exe 2->14         started        16 adobe.exe 2->16         started        process3 dnsIp4 50 192.168.2.1 unknown unknown 9->50 40 C:\Users\user\Desktop\~$Payment Slip.xlsb, data 9->40 dropped 70 Obfuscated command line found 9->70 72 Very long command line found 9->72 18 cmd.exe 1 9->18         started        74 Writes to foreign memory regions 14->74 76 Allocates memory in foreign processes 14->76 78 Sample uses process hollowing technique 14->78 80 Injects a PE file into a foreign processes 14->80 21 RegSvcs.exe 14->21         started        23 RegSvcs.exe 16->23         started        25 RegSvcs.exe 16->25         started        file5 signatures6 process7 signatures8 62 Very long command line found 18->62 64 Encrypted powershell cmdline option found 18->64 66 PowerShell case anomaly found 18->66 27 powershell.exe 16 22 18->27         started        32 conhost.exe 18->32         started        process9 dnsIp10 52 transfer.sh 144.76.136.153, 49716, 80 HETZNER-ASDE Germany 27->52 42 C:\Users\user\adobe.exe, PE32 27->42 dropped 82 Drops PE files to the user root directory 27->82 84 Powershell drops PE file 27->84 34 adobe.exe 27->34         started        file11 signatures12 process13 signatures14 68 Sample uses process hollowing technique 34->68 37 RegSvcs.exe 34->37         started        process15 dnsIp16 44 rahim321.duckdns.org 192.169.69.25, 49703, 49723 WOWUS United States 37->44 46 178.33.222.243, 46943 OVHFR France 37->46 48 2 other IPs or domains 37->48
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259/
Threat name:
Script-Macro.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 06:01:17 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ee2p2n6heucf5wr7afw4bwswzavz2nnahjpkjtw4cvavyzxlajmq._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat macro persistence rat
Link:
https://tria.ge/reports/210703-18p21w6h56/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Async RAT payload
AsyncRat
Process spawned unexpected child process
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49746
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:46943
185.165.153.116:2703
185.165.153.116:49746
185.165.153.116:49703
185.165.153.116:46943
54.37.36.116:2703
54.37.36.116:49746
54.37.36.116:49703
54.37.36.116:46943
185.244.30.92:2703
185.244.30.92:49746
185.244.30.92:49703
185.244.30.92:46943
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49746
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:46943
178.33.222.241:2703
178.33.222.241:49746
178.33.222.241:49703
178.33.222.241:46943
rahim321.duckdns.org:2703
rahim321.duckdns.org:49746
rahim321.duckdns.org:49703
rahim321.duckdns.org:46943
79.134.225.92:2703
79.134.225.92:49746
79.134.225.92:49703
79.134.225.92:46943
37.120.208.36:2703
37.120.208.36:49746
37.120.208.36:49703
37.120.208.36:46943
178.33.222.243:2703
178.33.222.243:49746
178.33.222.243:49703
178.33.222.243:46943
87.98.245.48:2703
87.98.245.48:49746
87.98.245.48:49703
87.98.245.48:46943
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2134fd37c725045eda3f016dc0da56c82b9d35a03a5ea4cedc15415c66eb0259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169449/

Comments