General
-
Target
New order.xls
-
Size
80KB
-
Sample
201213-sl6ze1zd2x
-
MD5
bfa6b801f26f67cc2231d4191a2486e5
-
SHA1
d6c3fe24036c6b402eeb80e065a11280aa236625
-
SHA256
076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4
-
SHA512
b06a89f9606533c9c7c6c0884c76c7e59919e1b66425e7e7f97d11bb2faafea80ed379c056c440269f3c6b132c297ea90172f54f893600747609d67a1202367b
Static task
static1
Behavioral task
behavioral1
Sample
New order.xls
Resource
win7v20201028
Malware Config
Extracted
https://tinyurl.com/y6fpv3lj
Extracted
asyncrat
0.5.7B
66.63.162.20:6606
-
aes_key
RrDsbyhuW4EmI2uyYOZXhcgJIPtjUanF
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
66.63.162.20
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606
-
version
0.5.7B
Targets
-
-
Target
New order.xls
-
Size
80KB
-
MD5
bfa6b801f26f67cc2231d4191a2486e5
-
SHA1
d6c3fe24036c6b402eeb80e065a11280aa236625
-
SHA256
076c11df218d9fd86a809bb3e3b4a9c2211caad31e630d731d64592bee49eec4
-
SHA512
b06a89f9606533c9c7c6c0884c76c7e59919e1b66425e7e7f97d11bb2faafea80ed379c056c440269f3c6b132c297ea90172f54f893600747609d67a1202367b
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Async RAT payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation