MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 11


Maldoc score: 9


Intelligence 11 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
SHA3-384 hash: a5237cb18ebe8176475746ccd81244dac86f5e85e56597a47fdfba9f9b0e4f6896172693600e2707eec1ee8d7e527883
SHA1 hash: cf4cbacbb5533ec90ec8215d01284d18b35dd139
MD5 hash: e391234ad8969ee93813458c325194c4
humanhash: bacon-nebraska-bulldog-london
File name:PO-21322.xlsm
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:427'343 bytes
First seen:2021-03-22 17:21:49 UTC
Last seen:2021-03-23 07:18:59 UTC
File type:Excel file xlsm
MIME type:application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep 12288:8I/p49w8fyunGthwu8kxPthZugvq4jzjSGUuW:z49b7AhFxPthZnvL3tW
TLSH 6194233F9258BE9FD6B3EA7988049AD7231253CE33907D7578689CC80A6F12EC171E54
Reporter abuse_ch
Tags:AsyncRAT RAT xlsm


Avatar
abuse_ch
AsyncRAT C2:
46.243.221.36:2703

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.243.221.36:2703 https://threatfox.abuse.ch/ioc/4419/

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 9
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
A1526 bytesPROJECT
A2104 bytesPROJECTwm
A31150 bytesVBA/Sheet1
A4977 bytesVBA/Sheet2
A5977 bytesVBA/Sheet3
A633276 bytesVBA/ThisWorkbook
A72838 bytesVBA/_VBA_PROJECT
A81432 bytesVBA/__SRP_0
A9179 bytesVBA/__SRP_1
A10228 bytesVBA/__SRP_2
A1166 bytesVBA/__SRP_3
A12360 bytesVBA/__SRP_4
A13163 bytesVBA/__SRP_5
A14554 bytesVBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecWorkbook_OpenRuns when the Excel Workbook is opened
SuspiciousShellMay run an executable file or a system command
SuspiciousChrMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousXorMay attempt to obfuscate specific strings (use option --deobf to deobfuscate)
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-21322.xlsm
Verdict:
Malicious activity
Analysis date:
2021-03-22 17:36:58 UTC
Tags:
macros macros-on-open loader trojan rat asyncrat
Link:
https://app.any.run/tasks/d43e47ed-173f-4c96-beff-0090d8411fd2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/vnd.ms-excel.sheet.macroEnabled.12
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126019/
Detection(s):
TwinWave.EvilDoc.StringBuidlersEveryRoseHasItsThorn.20210308.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Moving a recently created file
Creating a file in the Windows subdirectories
Creating a file in the %temp% subdirectories
Launching a service
Deleting a recently created file
Running batch commands
Adding an access-denied ACE
Creating a file in the Windows directory
Modifying an executable file
Launching the default Windows debugger (dwwin.exe)
Connection attempt
Creating a file in the Program Files subdirectories
Setting a single autorun event
Blocking the Windows Defender launch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the shell\open\command registry branches
Running batch commands by exploiting the app vulnerability
Adding exclusions to Windows Defender
Infecting executable files
Result
Verdict:
Suspicious
File Type:
Excel File with Macro
Link:
https://app.docguard.net/2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e/results/dashboard
Document image
Image:
Download PNG
Document image
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Document With No Content
Document contains little or no semantic information.
Result
Threat name:
AgentTesla AsyncRAT Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/648251
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found malware configuration
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Powershell drops PE file
Sample is not signed and drops a device driver
Sigma detected: Microsoft Office Product Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Uses dynamic DNS services
Yara detected AgentTesla
Yara detected AsyncRAT
Yara detected Neshta
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373087 Sample: PO-21322.xlsm Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 121 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->121 123 Found malware configuration 2->123 125 Antivirus detection for URL or domain 2->125 127 17 other signatures 2->127 11 EXCEL.EXE 57 16 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        20 svchost.exe 2->20         started        process3 dnsIp4 89 C:\Users\user\Desktop\~$PO-21322.xlsm, data 11->89 dropped 22 cmd.exe 11->22         started        91 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->91 dropped 153 Drops executables to the windows directory (C:\Windows) and starts them 14->153 155 Adds a directory exclusion to Windows Defender 14->155 157 Hides threads from debuggers 14->157 25 svchost.com 14->25         started        28 svchost.com 14->28         started        30 svchost.com 14->30         started        109 liverpoolsupporters9.com 17->109 93 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 17->93 dropped 159 System process connects to network (likely due to code injection or exploit) 17->159 161 Tries to delay execution (extensive OutputDebugStringW loop) 17->161 32 WerFault.exe 20->32         started        file5 signatures6 process7 file8 135 Encrypted powershell cmdline option found 22->135 34 powershell.exe 12 7 22->34         started        79 C:\ProgramData\...\vcredist_x86.exe, PE32 25->79 dropped 81 C:\ProgramData\...\VC_redist.x86.exe, PE32 25->81 dropped 83 C:\ProgramData\...\VC_redist.x64.exe, PE32 25->83 dropped 87 37 other malicious files 25->87 dropped 137 Adds a directory exclusion to Windows Defender 25->137 139 Sample is not signed and drops a device driver 25->139 141 Drops executable to a common third party application directory 25->141 143 Infects executable files (exe, dll, sys, html) 25->143 39 powershell.exe 25->39         started        85 C:\Windows\directx.sys, ASCII 28->85 dropped 41 powershell.exe 28->41         started        43 powershell.exe 30->43         started        signatures9 process10 dnsIp11 111 transfer.sh 144.76.136.153, 49165, 80 HETZNER-ASDE Germany 34->111 77 C:\Users\user\AppData\Roaming\excel.exe, PE32 34->77 dropped 133 Powershell drops PE file 34->133 45 excel.exe 19 11 34->45         started        file12 signatures13 process14 dnsIp15 119 liverpoolsupporters9.com 104.21.88.100, 49166, 49167, 80 CLOUDFLARENETUS United States 45->119 103 C:\Windows\Resources\Themes\...\svchost.exe, PE32 45->103 dropped 105 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 45->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\test.bat, ASCII 45->107 dropped 163 Document exploit detected (creates forbidden files) 45->163 165 Document exploit detected (drops PE files) 45->165 167 Creates an autostart registry key pointing to binary in C:\Windows 45->167 169 8 other signatures 45->169 50 excel.exe 45->50         started        54 AdvancedRun.exe 1 45->54         started        56 cmd.exe 45->56         started        58 5 other processes 45->58 file16 signatures17 process18 file19 73 C:\Users\user\AppData\Local\Temp\Fejanp.exe, PE32 50->73 dropped 75 C:\Users\user\AppData\Local\Temp\Bfllp.exe, PE32 50->75 dropped 129 Document exploit detected (creates forbidden files) 50->129 131 Injects files into Windows application 50->131 60 Fejanp.exe 50->60         started        64 Bfllp.exe 50->64         started        66 AdvancedRun.exe 54->66         started        68 timeout.exe 56->68         started        signatures20 process21 file22 95 C:\Windows\svchost.com, PE32 60->95 dropped 97 C:\Users\user\AppData\Local\...\Fejanp.exe, PE32 60->97 dropped 99 C:\...\plugin-container.exe, PE32 60->99 dropped 101 38 other malicious files 60->101 dropped 145 Creates an undocumented autostart registry key 60->145 147 Drops PE files with a suspicious file extension 60->147 149 Drops executable to a common third party application directory 60->149 151 Infects executable files (exe, dll, sys, html) 60->151 70 Fejanp.exe 60->70         started        signatures23 process24 dnsIp25 113 dongreg202020.duckdns.org 178.33.222.241, 49168, 49172, 49703 OVHFR France 70->113 115 chongmei33.publicvm.com 46.243.221.36, 2703, 49174 VOXILITYGB Netherlands 70->115 117 3 other IPs or domains 70->117
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e/
Threat name:
Script-Macro.Downloader.NetWired
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 17:22:06 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezl2cdd4zwb74bbmc4vgpqy4hjan77y4s7ghkskthmvprxroxcha._file
Result
Malware family:
asyncrat
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:asyncrat evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/210322-lvw4w6fd92/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Blocklisted process makes network request
Executes dropped EXE
AgentTesla Payload
Async RAT payload
Nirsoft
AgentTesla
AsyncRat
Modifies Windows Defender Real-time Protection settings
Modifies system executable filetype association
Process spawned unexpected child process
Turns off Windows Defender SpyNet reporting
Windows security bypass
Malware Config
C2 Extraction:
chongmei33.publicvm.com:2703
chongmei33.publicvm.com:49703
chongmei33.publicvm.com:49746
185.165.153.116:2703
185.165.153.116:49703
185.165.153.116:49746
54.37.36.116:2703
54.37.36.116:49703
54.37.36.116:49746
185.244.30.92:2703
185.244.30.92:49703
185.244.30.92:49746
dongreg202020.duckdns.org:2703
dongreg202020.duckdns.org:49703
dongreg202020.duckdns.org:49746
178.33.222.241:2703
178.33.222.241:49703
178.33.222.241:49746
rahim321.duckdns.org:2703
rahim321.duckdns.org:49703
rahim321.duckdns.org:49746
79.134.225.92:2703
79.134.225.92:49703
79.134.225.92:49746
37.120.208.36:2703
37.120.208.36:49703
37.120.208.36:49746
178.33.222.243:2703
178.33.222.243:49703
178.33.222.243:49746
87.98.245.48:2703
87.98.245.48:49703
87.98.245.48:49746
Dropper Extraction:
http://transfer.sh/get/NTxd/notepad.exe
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126019/

Comments