General

  • Target

    Anarchy Panel 4.7_adrikadi.exe

  • Size

    55.6MB

  • Sample

    231029-e9wpsaef7s

  • MD5

    208e9da0a6fc07ef32b2602540a72e4b

  • SHA1

    556981b25572073b834341c26bc7f37ff38bf0b9

  • SHA256

    ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6

  • SHA512

    ad4ce38a8daae3faffb71842c9d3bc9c99d1b3a99f1fda849b02590faac6e8502a936cea258b48bbcefec0e5aad1b59d1fc67ac6f92fe08ffebbe70dce4fccaf

  • SSDEEP

    1572864:2lO9lNd+eRHp2VataXzcSEXLPPv7QLSNLF:2E9lnBRHpXYzcSoLPPELSNLF

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

Mutex

XScw6vΒ4迪DvcTSyqΒ伊艾Jy

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Anarchy Panel 4.7_adrikadi.exe

    • Size

      55.6MB

    • MD5

      208e9da0a6fc07ef32b2602540a72e4b

    • SHA1

      556981b25572073b834341c26bc7f37ff38bf0b9

    • SHA256

      ac74f6db722a46ef37291aa464e142b81d8c7de8627f64918d333b738af694c6

    • SHA512

      ad4ce38a8daae3faffb71842c9d3bc9c99d1b3a99f1fda849b02590faac6e8502a936cea258b48bbcefec0e5aad1b59d1fc67ac6f92fe08ffebbe70dce4fccaf

    • SSDEEP

      1572864:2lO9lNd+eRHp2VataXzcSEXLPPv7QLSNLF:2E9lnBRHpXYzcSoLPPELSNLF

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Detect ZGRat V1

    • Modifies Windows Defender Real-time Protection settings

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Async RAT payload

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Renames multiple (2036) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks