MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AsyncRAT


Vendor detections: 9


Maldoc score: 5


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3
SHA3-384 hash: 6a724dd553d32b0272a05918ebb76dbe72f2153dbf455e3be997cfe8d29d59e26b26719ad8e380588e5045b177c47589
SHA1 hash: d540b5db66086da32ae87b5f9fbd337c9a0578b1
MD5 hash: fc408946a727aaf95be52485fa4df1ee
humanhash: harry-green-uranus-alabama
File name:payment.xls
Download: download sample
Signature AsyncRAT
Create hunting rule
File size:178'176 bytes
First seen:2021-10-27 10:06:45 UTC
Last seen:Never
File type:Excel file xls
MIME type:application/vnd.ms-excel
ssdeep 3072:AmVZ+RwPONXoRjDhIcp0fDlaGGx+cL26nAz8uSrvYWHdkK2Ig1GHvW5Y/iTIk8jU:PZ+RwPONXoRjDhIcp0fDlavx+W26nAzT
TLSH T1C304D063B2D9DD06EC1807719CE281C92726FD545FC7978B3209BB1E6FB67C0885321A
Reporter abuse_ch
Tags:AsyncRAT xls

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE id
Maldoc score: 5
OLE dump

MalwareBazaar was able to identify 15 sections in this file using oledump:

Section IDSection sizeSection name
1114 bytesCompObj
2244 bytesDocumentSummaryInformation
3220 bytesSummaryInformation
4161393 bytesWorkbook
5459 bytes_VBA_PROJECT_CUR/PROJECT
686 bytes_VBA_PROJECT_CUR/PROJECTwm
71903 bytes_VBA_PROJECT_CUR/VBA/Module1
8985 bytes_VBA_PROJECT_CUR/VBA/Sheet1
9993 bytes_VBA_PROJECT_CUR/VBA/ThisWorkbook
102606 bytes_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
111345 bytes_VBA_PROJECT_CUR/VBA/__SRP_0
12108 bytes_VBA_PROJECT_CUR/VBA/__SRP_1
13188 bytes_VBA_PROJECT_CUR/VBA/__SRP_2
14158 bytes_VBA_PROJECT_CUR/VBA/__SRP_3
15568 bytes_VBA_PROJECT_CUR/VBA/dir
OLE vba

MalwareBazaar was able to extract and deobfuscate VBA script(s) the following information from OLE objects embedded in this file using olevba:

TypeKeywordDescription
AutoExecAuto_OpenRuns when the Excel Workbook is opened
IOCscrobj.dllExecutable file name
SuspiciousLibMay run code from a DLL
SuspiciousHex StringsHex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
File type:
application/vnd.ms-excel
Has a screenshot:
False
Contains macros:
True
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200430/
Detection(s):
TwinWave.EvilDoc.SquiblyDooCreep.07062021.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Legacy Excel File with Macro
Link:
https://app.docguard.net/2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3/results/dashboard
Payload URLs
URL
File name
https://relaxedview.com/file/Excel.sct
Module1
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CVE-2017-8570 exploit macros macros-on-open valyria
Link:
https://www.filescan.io/uploads/617924c79a5a1e91c5d6e724/reports/7133531e-85fd-41aa-a560-932723ee6fd2/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro with DLL Reference
Detected macro logic that will load additional functionality from Dynamically Linked Libraries (DLLs). While not explicitly malicious, this is a common tactic for accessing APIs that are not otherwised exposed via Visual Basic for Applications (VBA).
Result
Threat name:
AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/877606
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious names
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Found potential malicious scriptlet (likely CVE-2017-8570)
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Multi AV Scanner detection for submitted file
Office process drops PE file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510034 Sample: payment.xls Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 120 Antivirus detection for URL or domain 2->120 122 Antivirus detection for dropped file 2->122 124 Antivirus / Scanner detection for submitted sample 2->124 126 15 other signatures 2->126 10 EXCEL.EXE 11 22 2->10         started        15 taskeng.exe 2->15         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        process3 dnsIp4 106 relaxedview.com 89.45.67.2, 443, 49167, 49168 BELCLOUDBG Netherlands 10->106 92 C:\Users\user\AppData\Local\Temp\client, PE32 10->92 dropped 94 C:\Users\user\AppData\Local\...\Client[1].scr, PE32 10->94 dropped 96 C:\Users\user\AppData\Local\...xcel[1].sct, XML 10->96 dropped 138 Document exploit detected (creates forbidden files) 10->138 140 Microsoft Office creates scripting files 10->140 21 client 19 11 10->21         started        26 sddsdsdsd.exe 15->26         started        108 96.9.210.115, 4449, 49179, 49181 NEWMEDIAEXPRESS-AS-APNewMediaExpressPteLtdSG United States 17->108 110 162.159.135.233, 443, 49171, 49172 CLOUDFLARENETUS United States 17->110 112 cdn.discordapp.com 17->112 98 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 17->98 dropped 142 System process connects to network (likely due to code injection or exploit) 17->142 144 Adds a directory exclusion to Windows Defender 17->144 28 AdvancedRun.exe 17->28         started        30 cmd.exe 17->30         started        32 powershell.exe 17->32         started        38 3 other processes 17->38 114 162.159.130.233, 443, 49177, 49178 CLOUDFLARENETUS United States 19->114 116 cdn.discordapp.com 19->116 100 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 19->100 dropped 34 AdvancedRun.exe 19->34         started        36 powershell.exe 19->36         started        40 3 other processes 19->40 file5 signatures6 process7 dnsIp8 104 cdn.discordapp.com 162.159.133.233, 443, 49169, 49170 CLOUDFLARENETUS United States 21->104 84 C:\Users\user\AppData\Roaming\sddsdsdsd.exe, PE32 21->84 dropped 86 C:\Program Files\Common Files\...\svchost.exe, PE32 21->86 dropped 88 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 21->88 dropped 128 Antivirus detection for dropped file 21->128 130 Machine Learning detection for dropped file 21->130 132 Creates autostart registry keys with suspicious names 21->132 134 Drops PE files with benign system names 21->134 42 cmd.exe 21->42         started        44 cmd.exe 21->44         started        47 AdvancedRun.exe 1 21->47         started        57 4 other processes 21->57 90 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 26->90 dropped 136 Adds a directory exclusion to Windows Defender 26->136 49 AdvancedRun.exe 26->49         started        59 3 other processes 26->59 51 AdvancedRun.exe 28->51         started        53 schtasks.exe 30->53         started        55 AdvancedRun.exe 34->55         started        file9 signatures10 process11 signatures12 61 sddsdsdsd.exe 42->61         started        66 timeout.exe 42->66         started        146 Uses schtasks.exe or at.exe to add and modify task schedules 44->146 68 schtasks.exe 44->68         started        70 AdvancedRun.exe 47->70         started        72 AdvancedRun.exe 49->72         started        process13 dnsIp14 118 cdn.discordapp.com 61->118 102 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 61->102 dropped 148 Adds a directory exclusion to Windows Defender 61->148 74 AdvancedRun.exe 61->74         started        76 powershell.exe 61->76         started        78 powershell.exe 61->78         started        80 2 other processes 61->80 file15 signatures16 process17 process18 82 AdvancedRun.exe 74->82         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3/
Threat name:
Script-Macro.Exploit.CVE-2017-8570
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 22:02:02 UTC
AV detection:
9 of 44 (20.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fodeifoaclszcbc457ttevigm5nd6z27m2b7vkqugqdxejgtmdbq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion macro macro_on_action trojan
Link:
https://tria.ge/reports/211027-l5mpmsbfc3/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Program Files directory
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Turns off Windows Defender SpyNet reporting
Windows security bypass
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b864415c012e591045cefe7325506675a3f675f6683faaa1434077224d360c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200430/

Comments