arrowrat

General

Target

PandoraHVNC.rar
Size

3.8MB
Sample

220927-w1p93sebd2
MD5

70642b74435f394d8c7001c4248fbd92
SHA1

685c77def902375c54b4122d0f289e1921346943
SHA256

e6fde59ccd2ab23714b2e7f32551226651e8367d459447dae2d9b80a20afbd22
SHA512

1432200d8cf3c9aab2cbbf03525964b8604268bd60328a8b0346738d8a6d7fc5dc4ee06a19dd0cd619dab1643de842893369683c560e8f3fb92bf37a4cffe428
SSDEEP

98304:0oPStM8K1DMidjhf27SjvqBYw5CEU1Lyohkc+u5UiXGxTQ:iZ+ZRBjvQZkEU1LyohUo/XGxTQ

Score

10^/10

Malware Config

Extracted

Family

arrowrat

Botnet

Client Name

C2

127.0.0.1:1337

Mutex

Targets

- Target
  
  PandoraHVNC/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  aca7f1ca2525160b85404e638732bd87
- SHA1
  
  612b5fa896871ee2f8f5710ac4bc63701cb96e4f
- SHA256
  
  bf7fd5efcd54d00bfda76187cb3f04dd36bb38d9b36b505e1493cffb7a7f3d9e
- SHA512
  
  dbf6624da29167ac67ef8e2fbfa1a350f00f850a1c029fe427d54ddbc3299331633ee8e1c076cd54ff02fa219fbe9ab0397e89c1a32d502ccdd150df55e25ae3
- SSDEEP
  
  49152:tvU6fD73waJnBA5lV8jldVmIgA5iKOvhn:tvU6vznglEldVmIJi/vt
Score

1^/10
behavioral1
- Target
  
  PandoraHVNC/PandorahVNC - Cracked By BoBhitBine.exe
- Size
  
  5.1MB
- MD5
  
  4c3338c73014a5fd124c4b5b1538e80f
- SHA1
  
  d6058fca565ef43355999ba3a42f7e26dcf9e495
- SHA256
  
  4ac535cf37a71be57dacd5677b09efd8bb216eb77e467313426e2edbf1600ab1
- SHA512
  
  00c61a16e2f5ecb00c9037410d316a53bd97cd654cca4272faf71c29a060f525d53f279c273daa8d79f44ff1e6c778e4870c342a5eb40fe48054481796abdfde
- SSDEEP
  
  98304:6HB41DSe6NtONC25oD83lB41N+CIw6Se6Nt9C25o:6ADSe6PONC2K83KN+CIw6Se6P9C2
Score

7^/10

agilenet
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
behavioral2
- Target
  
  PandoraHVNC/builder/Pandora Client Builder.exe
- Size
  
  5.0MB
- MD5
  
  3716185e55790072076a961fa9629ab8
- SHA1
  
  df8e3cc0ba2dc454e254d96534483ef23b805d53
- SHA256
  
  0737fc32aafdc1b6cc12efd32581e0a208c84d5760ab2d77c3c525d34fe333a6
- SHA512
  
  05d94fc3d6a097293c396e276032a77cd07a73358c9cd1b17839b946a8f554ef0c91a198ffb758d220de475ead01d10cf0109379e62c7e6be4112b62a19dcf75
- SSDEEP
  
  49152:tOUthyZ67WMAxUrgK7c80IirMPr2/3xv3m:vt2j1+dcxIiWr2g
Score

1^/10
behavioral3
- Target
  
  PandoraHVNC/builder/Stub/client.bin
- Size
  
  158KB
- MD5
  
  84c7dfc6c975fb3391adf8fd27e0dfae
- SHA1
  
  cb793feddca0194a5c011a2a5e581ab2510c0035
- SHA256
  
  b4f1b5a47175722b1a9230b934c227dc6b6a06bb5d8e6d0713bbaec35c34a44e
- SHA512
  
  c250948d2f5cce26de34083d8d5051a10f90b070aab7ddb187934c9caaab7067725e822108444a4acc3bb64dc730efca5877446ff7a34ea5443042f68215f279
- SSDEEP
  
  3072:Wbh0gAyRWW+0OMmlxvTltwLpBTkgIDeGIl3WNSmNJR1GddKqeCgqVbbp/YouwJbB:Wbh0LL0OrdltyB7dWY0J6ddKwpgouYn8
Score

10^/10

arrowrat client name rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
behavioral4

MITRE ATT&CK Matrix

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4