File name: | moda 53277.docx |
Full analysis: | https://app.any.run/tasks/0cf8ae18-6de1-48da-9573-53157a856729 |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | June 27, 2022, 10:23:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | 8E773257D2BDBA4F419381847D4C2D2F |
SHA1: | 19ADB078B4842FD999FE54EB875982FDB4FD43E9 |
SHA256: | 583E4B292BD2A2EE7CFA93E375DD303248FFDB2C2D1F801F87B31283ACA48D54 |
SSDEEP: | 96:kHcIMm57P678dmGJa6T/n/jNTjM8UGZ1Z4W2qO+ItaT9HkLqBpN6iAEkWmIzGi3x:ScIMmtPypG/bRXUq1O8mamWBXPfxZ31F |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | HP 15 |
---|
ModifyDate: | 2022:06:16 07:33:00Z |
---|---|
CreateDate: | 2018:03:07 09:39:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | 91974 |
AppVersion: | 12 |
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | 5 |
LinksUpToDate: | No |
Company: | Grizli777 |
ScaleCrop: | No |
Paragraphs: | 1 |
Lines: | 1 |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | 5 |
Words: | - |
Pages: | 1 |
TotalEditTime: | - |
Template: | Normal.dotm |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1312 |
ZipCompressedSize: | 358 |
ZipCRC: | 0x3795fcdd |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\moda 53277.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
948 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3220 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Company: 5H:?CCI@GE7CCD<84D; Integrity Level: MEDIUM Description: =?B4=C75EBAEB7:D Exit code: 0 Version: 5.7.10.12 | ||||
536 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | vbc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 4.0.30319.34209 built by: FX452RTMGDR AsyncRat(PID) Process(536) InstallUtil.exe Install_Folder%AppData% SaltVenomByVenom Aes_Key49a509e4cda8c0bad6f636694b84afd03828cebb42f150479037411abf985717 Botnetvenom clients bdosfalse PasteBinnull AntiVMfalse Server_SignatureB/XjFBRiKlO4ES3xsOmsifR+xvtzAS7oOzNO7X0CXGh4WxgOsiHQRNTmLB67KGxp+eEUSv/jyNDDPegkeQcVW7ByXBfyfmTJKEXH/BIHmBgTQlCLi6n33wAQMamYTxELJEXg5bwkGmbC3g5hPoBAGcAa14++/Z8NBA9Fh119Pek= CertificateMIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD... MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC Autorunfalse Version5.0.5 Ports (1)7070 C2 (1)80.66.64.151 | ||||
3160 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\researchstage.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR90D8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3160 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6BB7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{ACB1F9BB-36ED-4A48-A0D4-878C7AA659A3} | binary | |
MD5:6322C0FC1149627354C2FDAD40A5A9AE | SHA256:96A0D8D246196CC709D0D4E2732E5DDFE0167E710CABD3310277ED3A02E32C11 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{F306A61B-45B7-4E8F-BB80-282A298EF799}.FSD | binary | |
MD5:F786060B4030D1427E5B07A9884456F4 | SHA256:010412BC0D29B069D445BFBFF8AFEA6607A6A248AB4EB73F8DE2BE58D1416AAA | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4D9204EA.doc | binary | |
MD5:DFD6D5E99FE88BE01BDED91AA33AC9F4 | SHA256:140B490209632E90A312F15F40F90C06F4C8D449F1F0B3DD98FC2B922AEE2CBA | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{7A186311-7347-482F-BE38-826074A0D1FF} | binary | |
MD5:2D9DBC19FBD6258FB35FAAEF9D7B8A10 | SHA256:7AFC6E5293A43F2D1C4DC6C25912310C447F73B98DC99097C4E1BA103E3CE5A0 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSF-CTBL.FSF | binary | |
MD5:D471A0BB5F0B8A9AC834E0172491B7F9 | SHA256:418B6AE0A39787583DCD77DA0ED040F8C3DDA03410E71D04C235EE6E736F298F | |||
2956 | WINWORD.EXE | C:\Users\admin\Desktop\~$da 53277.docx | pgc | |
MD5:FDC95428A09709BD564E46C7B76F44C1 | SHA256:D272944DAEA28C5C61C4049A4902AEAECE8B84E61DB86FD8CE409A7D5C8BEB92 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\moda 53277.docx.LNK | lnk | |
MD5:DAB47250C3B625B5ACC6A9B0FCACE3D8 | SHA256:B06E39F8AE1A79EFE590F5175F729A510318242FEBFBD2BEA4A7515AA13F4F66 | |||
2956 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:6322C0FC1149627354C2FDAD40A5A9AE | SHA256:96A0D8D246196CC709D0D4E2732E5DDFE0167E710CABD3310277ED3A02E32C11 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2956 | WINWORD.EXE | OPTIONS | 200 | 185.29.10.20:80 | http://185.29.10.20/office/ | SE | — | — | malicious |
2956 | WINWORD.EXE | HEAD | 200 | 185.29.10.20:80 | http://185.29.10.20/office/documnet.doc | SE | — | — | malicious |
824 | svchost.exe | OPTIONS | 200 | 185.29.10.20:80 | http://185.29.10.20/office/ | SE | html | 338 b | malicious |
824 | svchost.exe | OPTIONS | 301 | 185.29.10.20:80 | http://185.29.10.20/office | SE | html | 338 b | malicious |
824 | svchost.exe | PROPFIND | 405 | 185.29.10.20:80 | http://185.29.10.20/office/ | SE | html | 328 b | malicious |
824 | svchost.exe | PROPFIND | 302 | 185.29.10.20:80 | http://185.29.10.20/ | SE | — | — | malicious |
824 | svchost.exe | PROPFIND | 301 | 185.29.10.20:80 | http://185.29.10.20/office | SE | html | 338 b | malicious |
824 | svchost.exe | PROPFIND | 301 | 185.29.10.20:80 | http://185.29.10.20/office | SE | html | 338 b | malicious |
824 | svchost.exe | PROPFIND | 405 | 185.29.10.20:80 | http://185.29.10.20/dashboard/ | SE | html | 328 b | malicious |
948 | EQNEDT32.EXE | GET | 200 | 185.29.10.20:80 | http://185.29.10.20/210/vbc.exe | SE | executable | 555 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
824 | svchost.exe | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
3220 | vbc.exe | 142.250.184.196:443 | www.google.com | Google Inc. | US | whitelisted |
2956 | WINWORD.EXE | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
948 | EQNEDT32.EXE | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
536 | InstallUtil.exe | 80.66.64.151:7070 | — | AB-Telecom Ltd. | RU | malicious |
— | — | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
dns.msftncsi.com |
| shared |
www.google.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2956 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2956 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
2956 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
2956 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL |
2956 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |
2956 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
948 | EQNEDT32.EXE | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
948 | EQNEDT32.EXE | A Network Trojan was detected | ET TROJAN MSIL/GenKryptik.FQRH Download Request |
948 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
948 | EQNEDT32.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |