General

  • Target

    PandoraClient.exe

  • Size

    158KB

  • Sample

    230325-nm7cfaef4w

  • MD5

    3eee7fa59a133b6c2fef8f0ad620fbaa

  • SHA1

    4375f6e3df9e013dd69ba94917ae17de490bb279

  • SHA256

    57863c2370ced5e6f6979f44244d76c97e09574a8178ace79755287fc835ab91

  • SHA512

    ee30da5303191a0d4c0e08553e27df3e0c47e2310b898d4521065d11dd81bfd2507d731c1a58bab113092a35ccfa79ccd14831bac680983efbad63d40beb64fe

  • SSDEEP

    3072:hbzVL+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP7fO8Y:hbzVC0ODhTEPgnjuIJzo+PPcfP7W8

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

soon-lp.at.ply.gg:17209

Mutex

JwqqOowIr

Targets

    • Target

      PandoraClient.exe

    • Size

      158KB

    • MD5

      3eee7fa59a133b6c2fef8f0ad620fbaa

    • SHA1

      4375f6e3df9e013dd69ba94917ae17de490bb279

    • SHA256

      57863c2370ced5e6f6979f44244d76c97e09574a8178ace79755287fc835ab91

    • SHA512

      ee30da5303191a0d4c0e08553e27df3e0c47e2310b898d4521065d11dd81bfd2507d731c1a58bab113092a35ccfa79ccd14831bac680983efbad63d40beb64fe

    • SSDEEP

      3072:hbzVL+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfP7fO8Y:hbzVC0ODhTEPgnjuIJzo+PPcfP7W8

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Modifies WinLogon for persistence

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

2
T1120

Tasks