asyncrat | ac8b0b40b2f088a805601a7de7df58a8ebca6f03921f44305cb5191b98ca6be7

General

Target

Anarchy Panel 4.7.rar
Size

53.7MB
MD5

a14b107b10b4004aedb2fd1a131e9ca0
SHA1

854f03955b29bbd7374a66d246fb09289437973a
SHA256

ac8b0b40b2f088a805601a7de7df58a8ebca6f03921f44305cb5191b98ca6be7
SHA512

0eb2875c662be700e07dd4e16be3c5e82f2af747531525765ebab8f278a5773747a8a16f2057ee1a1115fb71283490463b9be17c61bfed9517937c1fa5863585
SSDEEP

786432:wxvuATq6zudBSMnaTsS2DaajJeMixRbF9Bf+XDIUpGm5sCs2AvU/SmCOAPnEV:wxmATSSMus/hZaxDBtU7iLA3ycV

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1928-47-0x0000000000DD0000-0x000000000446E000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

pid	Process
1928	Anarchy Panel.exe

Loads dropped DLL 1 IoCs

pid	Process
1928	Anarchy Panel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4424	7zG.exe
Token: 35	4424	7zG.exe
Token: SeSecurityPrivilege	4424	7zG.exe
Token: SeSecurityPrivilege	4424	7zG.exe
Token: SeDebugPrivilege	1928	Anarchy Panel.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4424	7zG.exe
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1928	Anarchy Panel.exe
1928	Anarchy Panel.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
908	OpenWith.exe
908	OpenWith.exe
908	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7.rar"
1⤵
- Modifies registry class
PID:1304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3960

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6939:92:7zEvent13497
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4424

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1012

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Desktop\Anarchy Panel 4.7\Usrs.p12
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-661257284-3186977026-4220467887-1000\a64141c693978414e990430c4d259587_3865d557-6aef-43e8-bcad-b6582d34cf01

Filesize
1KB

MD5
950b74f192530e30574cbd7ebeb7950e

SHA1
6f3771378b368263402a395d0c764f66590fd77e

SHA256
ca3231604f4a38fd8001d5b6d441c9b61bbccdae4019d68c0456b6db55560550

SHA512
5a7073155d2ba4270a507af7accc3e165fec3a364beb65d79facc5166a085dca6ed074655c2027790a6019509b6ab8ba0ad3492d7c95093af4c064d74b1c0784

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Usrs.p12

Filesize
1KB

MD5
29d05f26237337f84db3ac84a8c85a18

SHA1
67981b91410af6c7e075120708f0c874682192a1

SHA256
a831ffcc46ff7f49ecb107341eeae12326a4be6c3aa904a03f9a6b65eb64f58e

SHA512
642f8806a06ed97e17107ff643fd0ca62720b69fa671d55dcd9c78cc1886a050452c87d357a3bb18994000cc2367194dccd333f778a622cd805308581bd1f800

Download Submit
memory/1928-58-0x0000000024290000-0x00000000242A4000-memory.dmp

Filesize
80KB

Download
memory/1928-55-0x000000001FB80000-0x000000001FF40000-memory.dmp

Filesize
3.8MB

Download
memory/1928-56-0x00000000238D0000-0x0000000023B22000-memory.dmp

Filesize
2.3MB

Download
memory/1928-57-0x0000000024100000-0x000000002424E000-memory.dmp

Filesize
1.3MB

Download
memory/1928-54-0x000000001F590000-0x000000001FB78000-memory.dmp

Filesize
5.9MB

Download
memory/1928-59-0x0000000022640000-0x0000000022652000-memory.dmp

Filesize
72KB

Download
memory/1928-60-0x0000000024340000-0x00000000245B8000-memory.dmp

Filesize
2.5MB

Download
memory/1928-66-0x0000000022620000-0x000000002262A000-memory.dmp

Filesize
40KB

Download
memory/1928-72-0x00000000271D0000-0x0000000028847000-memory.dmp

Filesize
22.5MB

Download
memory/1928-85-0x00000000271D0000-0x0000000028847000-memory.dmp

Filesize
22.5MB

Download
memory/1928-53-0x000000001EF10000-0x000000001EF22000-memory.dmp

Filesize
72KB

Download
memory/1928-47-0x0000000000DD0000-0x000000000446E000-memory.dmp

Filesize
54.6MB

Download

Analysis

Sharing