Loading ...

Play interactive tourEdit tour

Analysis Report 1099008FEDEX_090887766.xls

Overview

General Information

Sample Name:1099008FEDEX_090887766.xls
Analysis ID:320331
MD5:069451376c805d4b4d21fdc34a5e58ba
SHA1:5e8897fa3ee53ac8a1f010e01ea4ec5c2b3dbed5
SHA256:dc2be755822676a5ec7e406876c100efaf4983272e57a52469d5f0f788f55b82
Tags:AsyncRATRATxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 AsyncRAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected AsyncRAT
Binary contains a suspicious time stamp
Connects to a URL shortener service
Document exploit detected (process start blacklist hit)
Drops PE files to the document folder of the user
Found Excel 4.0 Macro with suspicious formulas
Obfuscated command line found
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 6844 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • cmd.exe (PID: 7120 cmdline: cmd.exe /c robocopy %windir%\system32\WindowsPowerShell\v1.0\ %temp% powershell.exe /mt /z & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Robocopy.exe (PID: 5776 cmdline: robocopy C:\Windows\system32\WindowsPowerShell\v1.0\ C:\Users\user\AppData\Local\Temp powershell.exe /mt /z MD5: BB8F54AE10FDA174289A4A495809EB69)
    • cmd.exe (PID: 7140 cmdline: cmd /c timeout /t 1 & cd %temp% & ren powershell.exe o.exe & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)