Overview

overview

10

Static

static

8

ORDER COPY-326.xlsm

windows7_x64

10

ORDER COPY-326.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER COPY-326.xlsm

  • Size

    154KB

  • Sample

    210326-mq5hgd4aej

  • MD5

    9a30f275af39b20ce59988b3c1724a68

  • SHA1

    d35c17ba0c5f09cb212e0a50d117b91d278ec6b3

  • SHA256

    7fe87c98f71cb7cfad4b7713284b7cfe1a0a5e059d5eb5e2c1b322426a6e52ff

  • SHA512

    7898565b62505be720c625899fd3b9f1fb9338a8653066f2c9bf660a1f59fa16529ce4c8e6c1ee597fc3855992ca1e522dce536790c8268ca75684f79636031d

Score
10/10
asyncratmacrorat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cutt.ly/fxD7Hr0

Extracted

Family

asyncrat

Version

0.5.7B

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:49703

chongmei33.publicvm.com:49746

185.165.153.116:2703

185.165.153.116:49703

185.165.153.116:49746

54.37.36.116:2703

54.37.36.116:49703

54.37.36.116:49746

185.244.30.92:2703

185.244.30.92:49703

185.244.30.92:49746

dongreg202020.duckdns.org:2703

dongreg202020.duckdns.org:49703

dongreg202020.duckdns.org:49746

178.33.222.241:2703

178.33.222.241:49703

178.33.222.241:49746

rahim321.duckdns.org:2703

rahim321.duckdns.org:49703
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    FEB

  • host

    chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    2703,49703,49746

  • version

    0.5.7B

aes.plain

Targets

    • Target

      ORDER COPY-326.xlsm

    • Size

      154KB

    • MD5

      9a30f275af39b20ce59988b3c1724a68

    • SHA1

      d35c17ba0c5f09cb212e0a50d117b91d278ec6b3

    • SHA256

      7fe87c98f71cb7cfad4b7713284b7cfe1a0a5e059d5eb5e2c1b322426a6e52ff

    • SHA512

      7898565b62505be720c625899fd3b9f1fb9338a8653066f2c9bf660a1f59fa16529ce4c8e6c1ee597fc3855992ca1e522dce536790c8268ca75684f79636031d

    Score
    10/10
    asyncratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks