analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://185.29.10.20/office/documnet.doc

Full analysis: https://app.any.run/tasks/ecee65f3-88e1-47d7-90b3-6955cf94111a
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: June 27, 2022, 10:32:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
exploit
CVE-2017-11882
loader
rat
asyncrat
Indicators:
MD5:

80F86E943820B7E755110235C70D768A

SHA1:

A0A3A2096BC78B015B234A3FEC5951BE45167A70

SHA256:

CB4920FFD0D41BD9C29E6BF9636EA9745820521736E11479B8D9D01D94AE53A5

SSDEEP:

3:N1KlSpKKDDglIWX:CQDgltX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2432)
    • Drops executable file immediately after starts

      • EQNEDT32.EXE (PID: 2432)
    • Application was dropped or rewritten from another process

      • vbc.exe (PID: 312)
    • Changes settings of System certificates

      • vbc.exe (PID: 312)
    • ASYNCRAT was detected

      • InstallUtil.exe (PID: 368)
    • ASYNCRAT detected by memory dumps

      • InstallUtil.exe (PID: 368)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1220)
    • Executed via COM

      • WINWORD.EXE (PID: 1148)
      • EQNEDT32.EXE (PID: 2432)
    • Application launched itself

      • WINWORD.EXE (PID: 1148)
    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 1148)
    • Reads the computer name

      • EQNEDT32.EXE (PID: 2432)
      • vbc.exe (PID: 312)
      • InstallUtil.exe (PID: 368)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 2432)
    • Checks supported languages

      • vbc.exe (PID: 312)
      • EQNEDT32.EXE (PID: 2432)
      • InstallUtil.exe (PID: 368)
    • Drops a file with a compile date too recent

      • EQNEDT32.EXE (PID: 2432)
    • Reads Environment values

      • vbc.exe (PID: 312)
      • InstallUtil.exe (PID: 368)
    • Reads default file associations for system extensions

      • WINWORD.EXE (PID: 1148)
    • Adds / modifies Windows certificates

      • vbc.exe (PID: 312)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2040)
      • iexplore.exe (PID: 1220)
      • WINWORD.EXE (PID: 1148)
      • WINWORD.EXE (PID: 1196)
    • Changes internet zones settings

      • iexplore.exe (PID: 2040)
    • Checks supported languages

      • iexplore.exe (PID: 1220)
      • iexplore.exe (PID: 2040)
      • WINWORD.EXE (PID: 1148)
      • WINWORD.EXE (PID: 1196)
    • Application launched itself

      • iexplore.exe (PID: 2040)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2040)
      • vbc.exe (PID: 312)
      • InstallUtil.exe (PID: 368)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2040)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1220)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2040)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 1148)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1196)
      • WINWORD.EXE (PID: 1148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(368) InstallUtil.exe
Install_Folder%AppData%
SaltVenomByVenom
Aes_Key49a509e4cda8c0bad6f636694b84afd03828cebb42f150479037411abf985717
Botnetvenom clients
bdosfalse
PasteBinnull
AntiVMfalse
Server_SignatureB/XjFBRiKlO4ES3xsOmsifR+xvtzAS7oOzNO7X0CXGh4WxgOsiHQRNTmLB67KGxp+eEUSv/jyNDDPegkeQcVW7ByXBfyfmTJKEXH/BIHmBgTQlCLi6n33wAQMamYTxELJEXg5bwkGmbC3g5hPoBAGcAa14++/Z8NBA9Fh119Pek=
CertificateMIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD...
MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC
Autorunfalse
Version5.0.5
Ports (1)7070
C2 (1)80.66.64.151
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe winword.exe winword.exe no specs eqnedt32.exe vbc.exe #ASYNCRAT installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
2040"C:\Program Files\Internet Explorer\iexplore.exe" "http://185.29.10.20/office/documnet.doc"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1220"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1148"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1196"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2432"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
312"C:\Users\Public\vbc.exe" C:\Users\Public\vbc.exe
EQNEDT32.EXE
User:
admin
Company:
5H:?CCI@GE7CCD<84D;
Integrity Level:
MEDIUM
Description:
=?B4=C75EBAEB7:D
Exit code:
0
Version:
5.7.10.12
368"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
vbc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.0.30319.34209 built by: FX452RTMGDR
AsyncRat
(PID) Process(368) InstallUtil.exe
Install_Folder%AppData%
SaltVenomByVenom
Aes_Key49a509e4cda8c0bad6f636694b84afd03828cebb42f150479037411abf985717
Botnetvenom clients
bdosfalse
PasteBinnull
AntiVMfalse
Server_SignatureB/XjFBRiKlO4ES3xsOmsifR+xvtzAS7oOzNO7X0CXGh4WxgOsiHQRNTmLB67KGxp+eEUSv/jyNDDPegkeQcVW7ByXBfyfmTJKEXH/BIHmBgTQlCLi6n33wAQMamYTxELJEXg5bwkGmbC3g5hPoBAGcAa14++/Z8NBA9Fh119Pek=
CertificateMIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD...
MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC
Autorunfalse
Version5.0.5
Ports (1)7070
C2 (1)80.66.64.151
Total events
20 120
Read events
19 069
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
27
Text files
9
Unknown types
7

Dropped files

PID
Process
Filename
Type
1148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF0BB.tmp.cvr
MD5:
SHA256:
1220iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\documnet[1].docbinary
MD5:DFD6D5E99FE88BE01BDED91AA33AC9F4
SHA256:140B490209632E90A312F15F40F90C06F4C8D449F1F0B3DD98FC2B922AEE2CBA
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:6A65D499A50A70859555BA840DCD8FB1
SHA256:8FE1967DBF071CF1BBECDA1266C091B64FE7809AB3009AE93E2CD9BCDC645BCF
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9CF5B6AFAF2F0204D6722437DC5C6CE3
SHA256:BE149914F22BAE53AF9D9AE80E1669A10415D297AA4D9AD7DEDE336E9651824D
1148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{EE9F65D1-86CA-42FC-A334-4BFAC6D1F318}binary
MD5:459644B6922E7BFE348D8FBE148073DA
SHA256:6625355ED5720A9FBAC7D13A03D5B16C6127C7B6882611CA0C330701FE7C6497
1148WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{557A09C3-1DCB-441A-9116-8F64E1EA85B3}binary
MD5:F74CACC80F11F726F3227AB665A6E7EC
SHA256:772767B993412FA1802A1C1C91025859F058D7B2A76445861180EDD7EB350413
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:790E40386A5478B54787C28956E029D7
SHA256:2A14CA44FA89C53F53111C7CAAE9155A460FA162BD822CCEAF7B7F74B8390557
1148WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:EC0DAD49ADD4EC97E329D930E9D349E8
SHA256:9F5CFF9765D8B903EDE0E2C7180FCD68398DE34C2DA8D0F56431D88C580B4BE9
1148WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E15577CB-1427-4F34-9981-B60A47CC9956}.FSDbinary
MD5:8C9F76E6223E0E0E01AE55DDA6AD208F
SHA256:BACFD915898FE200B85D8D77DF735B70AA6AA8DEF33B2019AE1B4ACB4C5DA174
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1148
WINWORD.EXE
OPTIONS
200
185.29.10.20:80
http://185.29.10.20/office/
SE
malicious
1148
WINWORD.EXE
HEAD
200
185.29.10.20:80
http://185.29.10.20/office/documnet.doc
SE
malicious
1148
WINWORD.EXE
HEAD
200
185.29.10.20:80
http://185.29.10.20/office/documnet.doc
SE
malicious
824
svchost.exe
PROPFIND
302
185.29.10.20:80
http://185.29.10.20/
SE
malicious
2040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1220
iexplore.exe
GET
200
185.29.10.20:80
http://185.29.10.20/office/documnet.doc
SE
binary
23.3 Kb
malicious
2040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
824
svchost.exe
PROPFIND
301
185.29.10.20:80
http://185.29.10.20/office
SE
html
338 b
malicious
824
svchost.exe
PROPFIND
405
185.29.10.20:80
http://185.29.10.20/office/
SE
html
328 b
malicious
824
svchost.exe
PROPFIND
302
185.29.10.20:80
http://185.29.10.20/
SE
html
328 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2040
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1220
iexplore.exe
185.29.10.20:80
DataClub S.A.
SE
malicious
2040
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2040
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1148
WINWORD.EXE
185.29.10.20:80
DataClub S.A.
SE
malicious
2040
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2432
EQNEDT32.EXE
185.29.10.20:80
DataClub S.A.
SE
malicious
368
InstallUtil.exe
80.66.64.151:7070
AB-Telecom Ltd.
RU
malicious
368
InstallUtil.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
www.google.com
  • 142.250.184.196
whitelisted

Threats

PID
Process
Class
Message
1220
iexplore.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
1220
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
1220
iexplore.exe
Potentially Bad Traffic
ET INFO Possible RTF File With Obfuscated Version Header
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Suspicious Request for Doc to IP Address with Terse Headers
1148
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Possible RTF File With Obfuscated Version Header
1148
WINWORD.EXE
Potentially Bad Traffic
ET INFO Dotted Quad Host DOC Request
2 ETPRO signatures available at the full report
No debug info