asyncrat | 50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

Analysis

max time kernel
124s
max time network
137s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
27-07-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel.exe
Size

54.6MB
MD5

94bac1a0cc0dbac256f0d3b4c90648c2
SHA1

4abcb8a31881e88322f6a37cbb24a14a80c6eef2
SHA256

50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94
SHA512

30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9
SSDEEP

786432:RvcKHU1yll1EcgYwm/7hPo9b9DMs2PTUpRYj:lPU4bZwm/NwEIYj

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2292-1-0x0000000000490000-0x0000000003B2E000-memory.dmp	net_reactor

Loads dropped DLL 1 IoCs

pid	Process
2292	Anarchy Panel.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1192	cmd.exe
4916	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
216	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	Anarchy Panel.exe
Token: SeDebugPrivilege	1232	taskmgr.exe
Token: SeSystemProfilePrivilege	1232	taskmgr.exe
Token: SeCreateGlobalPrivilege	1232	taskmgr.exe
Token: 33	1232	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1232	taskmgr.exe
Token: SeDebugPrivilege	4948	taskmgr.exe
Token: SeSystemProfilePrivilege	4948	taskmgr.exe
Token: SeCreateGlobalPrivilege	4948	taskmgr.exe
Token: 33	4948	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4948	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
1232	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe
4948	taskmgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1192	2292	Anarchy Panel.exe	72
PID 2292 wrote to memory of 1192	2292	Anarchy Panel.exe	72
PID 1192 wrote to memory of 4916	1192	cmd.exe	75
PID 1192 wrote to memory of 4916	1192	cmd.exe	75
PID 4916 wrote to memory of 216	4916	cmd.exe	78
PID 4916 wrote to memory of 216	4916	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
  2⤵
  - System Time Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\system32\cmd.exe
    cmd /C "color b && title Error && echo SSL assertion fail, make sure you're not debugging Network. Disable internet firewall on router if possible. & echo: & echo If not, ask the developer of the program to use custom domains to fix this. && timeout /t 5"
    3⤵
    - System Time Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:216

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3868

C:\Windows\System32\q5ilm7.exe
"C:\Windows\System32\q5ilm7.exe"
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\715946058.pri

Filesize
171KB

MD5
30ec43ce86e297c1ee42df6209f5b18f

SHA1
fe0a5ea6566502081cb23b2f0e91a3ab166aeed6

SHA256
8ccddf0c77743a42067782bc7782321330406a752f58fb15fb1cd446e1ef0ee4

SHA512
19e5a7197a92eeef0482142cfe0fb46f16ddfb5bf6d64e372e7258fa6d01cf9a1fac9f7258fd2fd73c0f8a064b8d79b51a1ec6d29bbb9b04cdbd926352388bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\2290032291.pri

Filesize
2KB

MD5
b8da5aac926bbaec818b15f56bb5d7f6

SHA1
2b5bf97cd59e82c7ea96c31cf9998fbbf4884dc5

SHA256
5be5216ae1d0aed64986299528f4d4fe629067d5f4097b8e4b9d1c6bcf4f3086

SHA512
c39a28d58fb03f4f491bf9122a86a5cbe7677ec2856cf588f6263fa1f84f9ffc1e21b9bcaa60d290356f9018fb84375db532c8b678cf95cc0a2cc6ed8da89436

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
memory/2292-14-0x000000001ED30000-0x000000001F318000-memory.dmp

Filesize
5.9MB

Download
memory/2292-3-0x00007FFC771D0000-0x00007FFC773AB000-memory.dmp

Filesize
1.9MB

Download
memory/2292-8-0x0000000004320000-0x0000000004332000-memory.dmp

Filesize
72KB

Download
memory/2292-0-0x00007FFC771D0000-0x00007FFC773AB000-memory.dmp

Filesize
1.9MB

Download
memory/2292-15-0x000000001F320000-0x000000001F6E0000-memory.dmp

Filesize
3.8MB

Download
memory/2292-16-0x00000000205A0000-0x00000000206EE000-memory.dmp

Filesize
1.3MB

Download
memory/2292-17-0x00000000208F0000-0x0000000020904000-memory.dmp

Filesize
80KB

Download
memory/2292-19-0x00007FFC771D0000-0x00007FFC773AB000-memory.dmp

Filesize
1.9MB

Download
memory/2292-20-0x00007FFC771D0000-0x00007FFC773AB000-memory.dmp

Filesize
1.9MB

Download
memory/2292-2-0x00007FFC771D0000-0x00007FFC773AB000-memory.dmp

Filesize
1.9MB

Download
memory/2292-1-0x0000000000490000-0x0000000003B2E000-memory.dmp

Filesize
54.6MB

Download