asyncrat | 64fc3fee444a94656049101a7fd8dcb04853dc849fdc79a531794d50147aa8f2

Reason

Machine shutdown

General

Target

Anarchy Panel Leaked/Anarchy Loader.exe
Size

54.7MB
MD5

5016491d1b400d431bf64bdfaa2402f2
SHA1

87c7f677cdbebefdedc3d7d975c2bb4f7725412a
SHA256

98b14faa7577d52999942de580275ecd78ef3f1e236ab52f646ceb562fce07ad
SHA512

cad0fd505e07b81540408a71e311e2e23f305a7508859d411a7b1d8d1a90547c264da4cf25c39fb0a1f33070f51bfafb42265be64affe9c4f07e61c4411d98d6
SSDEEP

1572864:r7s7RAkmum9Dio4y92UGp1DUMSoZ4XisCTK+OhiO0iQOCL:rI79hm9D54yAUs1DUBh3CTjOqiQO

Score

10^/10

asyncrat xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

209.25.141.181:31533

Attributes

Install_directory
%Temp%
install_file
INCCHECK.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023376-6.dat	family_xworm
behavioral2/memory/1508-13-0x0000000000A70000-0x0000000000A8E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/2968-25-0x0000000000C20000-0x00000000042BE000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Anarchy Loader.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INCCHECK.lnk	AnarchyInstall.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INCCHECK.lnk	AnarchyInstall.exe

Executes dropped EXE 2 IoCs

pid	Process
1508	AnarchyInstall.exe
2968	Anarchy Panel.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	Anarchy Panel.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\INCCHECK = "C:\\Users\\Admin\\AppData\\Local\\Temp\\INCCHECK.exe"	AnarchyInstall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	AnarchyInstall.exe
Token: SeDebugPrivilege	2968	Anarchy Panel.exe
Token: SeDebugPrivilege	1508	AnarchyInstall.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 1508	4764	Anarchy Loader.exe	84
PID 4764 wrote to memory of 1508	4764	Anarchy Loader.exe	84
PID 4764 wrote to memory of 2968	4764	Anarchy Loader.exe	85
PID 4764 wrote to memory of 2968	4764	Anarchy Loader.exe	85

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe
  "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe
  "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\Anarchy Panel.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel Leaked\AnarchyInstall.exe

Filesize
95KB

MD5
57fdae25873ed915da75aa33c9eb6d66

SHA1
5f835c20c97fc83b976fbea8345b01d96e5f1546

SHA256
c9074dc3e9e6e06260f4e40980ef2fbfd8b50cf449e20f250d277cadbd7909c0

SHA512
1191005e24a64b215ea866c8472411e13b22908ae98d42c758bb317bd6182cd671321d7c501db4d779e2234106d7cf8a118eea9f9dd698f578dc25b0098088f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
memory/1508-38-0x00007FFABBA20000-0x00007FFABC4E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-13-0x0000000000A70000-0x0000000000A8E000-memory.dmp

Filesize
120KB

Download
memory/1508-14-0x00007FFABBA20000-0x00007FFABC4E1000-memory.dmp

Filesize
10.8MB

Download
memory/1508-37-0x00007FFABBA20000-0x00007FFABC4E1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-25-0x0000000000C20000-0x00000000042BE000-memory.dmp

Filesize
54.6MB

Download
memory/2968-30-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/2968-31-0x000000001F400000-0x000000001F9E8000-memory.dmp

Filesize
5.9MB

Download
memory/2968-32-0x000000001F9F0000-0x000000001FDB0000-memory.dmp

Filesize
3.8MB

Download
memory/2968-24-0x00007FFABBA20000-0x00007FFABC4E1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-39-0x00007FFABBA20000-0x00007FFABC4E1000-memory.dmp

Filesize
10.8MB

Download
memory/4764-0-0x00007FFABBA23000-0x00007FFABBA25000-memory.dmp

Filesize
8KB

Download
memory/4764-1-0x0000000000F10000-0x00000000045D4000-memory.dmp

Filesize
54.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads