Overview

overview

10

Static

static

8

Quote Requ...20.xls

windows7_x64

10

Quote Requ...20.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quote Request October-2020.xls

  • Size

    66KB

  • Sample

    201028-b8m4ysyj82

  • MD5

    57d2e6d7a94b56acfc61035d2577a86a

  • SHA1

    69248b27552383513f0b4d5839a63386849217dd

  • SHA256

    166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434

  • SHA512

    04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e

Score
10/10
asyncratevasionmacrorat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://tinyurl.com/yxmkb9y9

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.165.153.249:4371

Attributes
  • aes_key

    ytMOQ9vVR8d56lQb8encn2IGn2i9oQc7

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    185.165.153.249

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    4371

  • version

    0.5.7B

aes.plain

Targets

    • Target

      Quote Request October-2020.xls

    • Size

      66KB

    • MD5

      57d2e6d7a94b56acfc61035d2577a86a

    • SHA1

      69248b27552383513f0b4d5839a63386849217dd

    • SHA256

      166989f61fb157324d0c29d69d5aae0aa2a7813c9f4a0c1ab6506730dd66b434

    • SHA512

      04b171a580f5d46d82ceb5d6a73009bc8e3a289e75e592e1b0d5b83052a1f37221e3c197bf170da07fbebf7088fa7dfb044103890f127d0af45d2aba01800e2e

    Score
    10/10
    asyncratevasionrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                    Privilege Escalation

                      Tasks