MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AsyncRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
SHA3-384 hash: b4619cafdfbf6982ee4b61d0882d2afbef866a028910a063c08999830cc414fa03071c533a118676abdc5acaa4f621bb
SHA1 hash: 0470d616e8918ef03098741bf7fb0b313bb8aaea
MD5 hash: 9c3d3679ea84ff9bf67bf8c7aa2afc48
humanhash: kansas-quiet-arizona-timing
File name:astro-grep-setup.exe.doc
Download: download sample
Signature AsyncRAT
File size:1'446'736 bytes
First seen:2021-07-17 19:38:25 UTC
Last seen:Never
File type:Word file doc
MIME type:application/octet-stream
ssdeep 24576:gbi5q1lXj0di8tpgg/d3EVxW5Y62ddfMqKFIqlzFOQ1Yq8X2LcDLN:gbi5q1lXPupgU8Wy62dJVhqUYYq8X2s
TLSH T1B2653390ED26FBB2EA4382F143CEB3DCC5A47DB6A3A21C0B303A06451558CB877D95B5
Reporter @BushidoToken
Tags:Astro Grep AsyncRAT doc

Intelligence


File Origin
# of uploads :
1
# of downloads :
134
Origin country :
GB GB
Mail intelligence
No data
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
astro-grep-setup.exe.doc
Verdict:
Malicious activity
Analysis date:
2021-07-16 21:13:56 UTC
Tags:
macros macros-on-open

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
File type:
application/msword
Has a screenshot:
False
Contains macros:
True
Result
Verdict:
MALICIOUS
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Macro Contains Suspicious String
Detected a macro with a suspicious string. Suspicious strings include privileged function calls, obfuscations, odd registry keys, etc...
Suspicious Document Variables
Detected a macro that references a suspicious number of tersely named variables.
InQuest Machine Learning
An InQuest machine-learning model classified this macro as potentially malicious.
Result
Threat name:
AsyncRAT
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office process drops PE file
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AsyncRAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450275 Sample: astro-grep-setup.exe.doc Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for submitted file 2->63 65 Document exploit detected (drops PE files) 2->65 67 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->67 69 12 other signatures 2->69 9 WINWORD.EXE 19 32 2->9         started        13 taskeng.exe 1 2->13         started        process3 file4 49 C:\ProgramData\Memsys\ms.exe, PE32 9->49 dropped 77 Document exploit detected (creates forbidden files) 9->77 15 ms.exe 3 9->15         started        19 astro-grep.exe 12 2 13->19         started        signatures5 process6 dnsIp7 51 C:\Users\user\AppData\...\ASTRO-GREP.EXE, PE32 15->51 dropped 53 C:\Users\user\...\ASTROGREP_SETUP_V4.4.7.EXE, PE32 15->53 dropped 59 Antivirus detection for dropped file 15->59 61 Machine Learning detection for dropped file 15->61 22 ASTRO-GREP.EXE 6 15->22         started        26 ASTROGREP_SETUP_V4.4.7.EXE 12 46 15->26         started        55 185.195.232.251, 49166, 49167, 49168 ESAB-ASSE Sweden 19->55 57 pastebin.com 104.23.98.190, 443, 49165 CLOUDFLARENETUS United States 19->57 file8 signatures9 process10 file11 39 C:\Users\user\AppData\...\astro-grep.exe, PE32 22->39 dropped 71 Antivirus detection for dropped file 22->71 73 Machine Learning detection for dropped file 22->73 75 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 22->75 28 cmd.exe 22->28         started        31 cmd.exe 22->31         started        41 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 26->41 dropped 43 C:\Users\user\AppData\Local\...\System.dll, PE32 26->43 dropped 45 C:\Users\user\AppData\Local\...\StartMenu.dll, PE32 26->45 dropped 47 8 other files (none is malicious) 26->47 dropped signatures12 process13 signatures14 79 Uses schtasks.exe or at.exe to add and modify task schedules 28->79 33 schtasks.exe 28->33         started        35 astro-grep.exe 2 31->35         started        37 timeout.exe 31->37         started        process15
Threat name:
Document-Word.Downloader.Bartallex
Status:
Malicious
First seen:
2021-07-17 19:39:04 UTC
AV detection:
30 of 46 (65.22%)
Threat level:
  3/5
Result
Malware family:
asyncrat
Score:
  10/10
Tags:
family:asyncrat rat
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Office loads VBA resources, possible macro or embedded object present
Enumerates physical storage devices
Drops file in Windows directory
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
Async RAT payload
AsyncRat
Malware Config
C2 Extraction:
null:null

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information


The table below shows additional information about this malware sample such as delivery method and external references.

AsyncRAT

Word file doc 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190

(this sample)

Comments