Play interactive tour
Edit tourWindows Analysis Report astro-grep-setup.exe.doc
Overview
General Information
| Sample Name: | astro-grep-setup.exe.doc |
| Analysis ID: | 450275 |
| MD5: | 9c3d3679ea84ff9bf67bf8c7aa2afc48 |
| SHA1: | 0470d616e8918ef03098741bf7fb0b313bb8aaea |
| SHA256: | 2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190 |
| Tags: | AstroGrepdoc |
| Infos: | |
Most interesting Screenshot:  | |
Detection
AsyncRAT
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected AsyncRAT
.NET source code contains potential unpacker
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Office process drops PE file
Sigma detected: Regsvr32 Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document contains no OLE stream with summary information
Document has an unknown application name
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains strange resources
PE file overlay found
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Unable to load, office file is protected or invalid
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Dropped Files |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Malware_QA_update | VT Research QA uploaded malware - file update.exe | Florian Roth |
| |
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security |
Memory Dumps |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Click to see the 6 entries | ||||
Unpacked PEs |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
| Click to see the 11 entries | ||||
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Regsvr32 Anomaly | Show sources | ||
| Source: | Author: Florian Roth, oscd.community: | ||
Jbx Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Antivirus detection for dropped file | Show sources | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Machine Learning detection for sample | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | Avira: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Window detected: | ||