URL: | http://185.29.10.20/office/documnet.doc |
Full analysis: | https://app.any.run/tasks/ecee65f3-88e1-47d7-90b3-6955cf94111a |
Verdict: | Malicious activity |
Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
Analysis date: | June 27, 2022, 10:32:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 80F86E943820B7E755110235C70D768A |
SHA1: | A0A3A2096BC78B015B234A3FEC5951BE45167A70 |
SHA256: | CB4920FFD0D41BD9C29E6BF9636EA9745820521736E11479B8D9D01D94AE53A5 |
SSDEEP: | 3:N1KlSpKKDDglIWX:CQDgltX |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2040 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://185.29.10.20/office/documnet.doc" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1220 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1148 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
1196 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WINWORD.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
2432 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
312 | "C:\Users\Public\vbc.exe" | C:\Users\Public\vbc.exe | EQNEDT32.EXE | |
User: admin Company: 5H:?CCI@GE7CCD<84D; Integrity Level: MEDIUM Description: =?B4=C75EBAEB7:D Exit code: 0 Version: 5.7.10.12 | ||||
368 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | vbc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 4.0.30319.34209 built by: FX452RTMGDR AsyncRat(PID) Process(368) InstallUtil.exe Install_Folder%AppData% SaltVenomByVenom Aes_Key49a509e4cda8c0bad6f636694b84afd03828cebb42f150479037411abf985717 Botnetvenom clients bdosfalse PasteBinnull AntiVMfalse Server_SignatureB/XjFBRiKlO4ES3xsOmsifR+xvtzAS7oOzNO7X0CXGh4WxgOsiHQRNTmLB67KGxp+eEUSv/jyNDDPegkeQcVW7ByXBfyfmTJKEXH/BIHmBgTQlCLi6n33wAQMamYTxELJEXg5bwkGmbC3g5hPoBAGcAa14++/Z8NBA9Fh119Pek= CertificateMIICMzCCAZygAwIBAgIVALgbuadTIXCBGx92qk2Pt658vf8pMA0GCSqGSIb3DQEBDQUAMGcxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDExMjE3MzIzNloXDTMxMTAyMjE3MzIzNlowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQAD... MutexVenom_RAT_HVNC_Mutex_Venom RAT_HVNC Autorunfalse Version5.0.5 Ports (1)7070 C2 (1)80.66.64.151 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRF0BB.tmp.cvr | — | |
MD5:— | SHA256:— | |||
1220 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\documnet[1].doc | binary | |
MD5:DFD6D5E99FE88BE01BDED91AA33AC9F4 | SHA256:140B490209632E90A312F15F40F90C06F4C8D449F1F0B3DD98FC2B922AEE2CBA | |||
2040 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:6A65D499A50A70859555BA840DCD8FB1 | SHA256:8FE1967DBF071CF1BBECDA1266C091B64FE7809AB3009AE93E2CD9BCDC645BCF | |||
2040 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:9CF5B6AFAF2F0204D6722437DC5C6CE3 | SHA256:BE149914F22BAE53AF9D9AE80E1669A10415D297AA4D9AD7DEDE336E9651824D | |||
1148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{EE9F65D1-86CA-42FC-A334-4BFAC6D1F318} | binary | |
MD5:459644B6922E7BFE348D8FBE148073DA | SHA256:6625355ED5720A9FBAC7D13A03D5B16C6127C7B6882611CA0C330701FE7C6497 | |||
1148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{557A09C3-1DCB-441A-9116-8F64E1EA85B3} | binary | |
MD5:F74CACC80F11F726F3227AB665A6E7EC | SHA256:772767B993412FA1802A1C1C91025859F058D7B2A76445861180EDD7EB350413 | |||
2040 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342 | SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E | |||
2040 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:790E40386A5478B54787C28956E029D7 | SHA256:2A14CA44FA89C53F53111C7CAAE9155A460FA162BD822CCEAF7B7F74B8390557 | |||
1148 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:EC0DAD49ADD4EC97E329D930E9D349E8 | SHA256:9F5CFF9765D8B903EDE0E2C7180FCD68398DE34C2DA8D0F56431D88C580B4BE9 | |||
1148 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{E15577CB-1427-4F34-9981-B60A47CC9956}.FSD | binary | |
MD5:8C9F76E6223E0E0E01AE55DDA6AD208F | SHA256:BACFD915898FE200B85D8D77DF735B70AA6AA8DEF33B2019AE1B4ACB4C5DA174 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1148 | WINWORD.EXE | OPTIONS | 200 | 185.29.10.20:80 | http://185.29.10.20/office/ | SE | — | — | malicious |
1148 | WINWORD.EXE | HEAD | 200 | 185.29.10.20:80 | http://185.29.10.20/office/documnet.doc | SE | — | — | malicious |
1148 | WINWORD.EXE | HEAD | 200 | 185.29.10.20:80 | http://185.29.10.20/office/documnet.doc | SE | — | — | malicious |
824 | svchost.exe | PROPFIND | 302 | 185.29.10.20:80 | http://185.29.10.20/ | SE | — | — | malicious |
2040 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1220 | iexplore.exe | GET | 200 | 185.29.10.20:80 | http://185.29.10.20/office/documnet.doc | SE | binary | 23.3 Kb | malicious |
2040 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
824 | svchost.exe | PROPFIND | 301 | 185.29.10.20:80 | http://185.29.10.20/office | SE | html | 338 b | malicious |
824 | svchost.exe | PROPFIND | 405 | 185.29.10.20:80 | http://185.29.10.20/office/ | SE | html | 328 b | malicious |
824 | svchost.exe | PROPFIND | 302 | 185.29.10.20:80 | http://185.29.10.20/ | SE | html | 328 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2040 | iexplore.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2040 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1220 | iexplore.exe | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
2040 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2040 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1148 | WINWORD.EXE | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
2040 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2432 | EQNEDT32.EXE | 185.29.10.20:80 | — | DataClub S.A. | SE | malicious |
368 | InstallUtil.exe | 80.66.64.151:7070 | — | AB-Telecom Ltd. | RU | malicious |
368 | InstallUtil.exe | 209.197.3.8:80 | ctldl.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
www.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1220 | iexplore.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1220 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL |
1220 | iexplore.exe | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Suspicious Request for Doc to IP Address with Terse Headers |
1148 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS CVE-2017-0199 Common Obfus Stage 2 DL |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Possible RTF File With Obfuscated Version Header |
1148 | WINWORD.EXE | Potentially Bad Traffic | ET INFO Dotted Quad Host DOC Request |