arrowrat | 929b11e9d778f3fb3753f2bfec104862dd325bd91546afc7dfe15803d1726a13

General

Target

VenomRAT.rar
Size

6.8MB
Sample

230308-c13evsdf39
MD5

f3ee8c380e07eb30c5f5780bdc23d60e
SHA1

8f55e9f20f4be614cfaf21f001b49c18ee55d173
SHA256

929b11e9d778f3fb3753f2bfec104862dd325bd91546afc7dfe15803d1726a13
SHA512

b10411c97b709d49b71b884e4ded9ff8ac08c8cf4c39d86b859cd9d074d2e1da4cf1f41a35d939700f032f4d11f965e92f423a3ba740af140fbc81e35511b48b
SSDEEP

196608:Qkz5znlJS+E4H5ED0r3uHTtKU3H9kXTkjvANy:t7j1ghKU3d+kjV

Score

10^/10

arrowrat asyncrat %group%agilenet microsoft phishing rat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Targets

- Target
  
  VenomRAT/Plugins/Keylogger.exe
- Size
  
  10KB
- MD5
  
  4f846f2117c4eab285289b0090521b1e
- SHA1
  
  e25287c39bad32159417c5f0bf798625b6beff45
- SHA256
  
  a17a5bf35d8b784c3111632ba7e0c30a2c1a9c2c95b549235affc16d6d055477
- SHA512
  
  fd946b5f7c3c7d32f226897283de7ba3b4a4ecc2919c363877f1258cd24ed1a52bce53af2fe4ef34c4ac30d00fc456fd4e1593b79c37f7c22211f2c4f6092e5e
- SSDEEP
  
  192:irtmcuq65SoDxi4maEYbRzmEsLkjgv5JHT1eJYHcwY7fazB+LEi:irtlF60GE9rUhVsLF5p1rYydmE
Score

1^/10
behavioral1 behavioral2
- Target
  
  VenomRAT/VenomRAT_HVNC.exe
- Size
  
  16.5MB
- MD5
  
  c90bb028354000acc74485f2db4ab492
- SHA1
  
  28e6ce32a075669b3e382eaeb4871f7c3fc3bbef
- SHA256
  
  54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d
- SHA512
  
  9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406
- SSDEEP
  
  393216:sl9Yl7Elel7ElAlQleTl/l/l/l/l/lzlml/lqlZlHl/l/l/l/l/l/lIlAl+lUl2x:WTXT
Score

10^/10

microsoft phishing asyncrat agilenet rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

AsyncRat

Async RAT payload

Checks computer location settings

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Detected potential entity reuse from brand microsoft.

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4