arrowrat | 33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01 | Triage

Submit
Reports

Overview

overview

Static

static

Client2.exe

windows10-2004-x64

Resubmissions

27-03-2023 14:22

230327-rp15zsdg92 10

27-03-2023 13:43

230327-q1lc8sdf86 10

Sharing

General

Target

Client2.exe
Size

63KB
Sample

230327-rp15zsdg92
MD5

40a63f050f41848d979fc88712d1fbf1
SHA1

0d155350fd579788f71dbf7e3f39c889bd37f50e
SHA256

33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01
SHA512

c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64
SSDEEP

1536:YhW5hc1kw0kVit8Q0v9Gbb3w+HRpGmDpqKmY7:YhW5hc1kWVHGbb3hHR9gz

Score

10^/10

arrowrat asyncrat venom clients venomhvnc persistence rat spyware stealer

Static task

static1

rat venom clients asyncrat

2 signatures

Behavioral task

behavioral1

Sample

Client2.exe

Resource

win10v2004-20230220-en

arrowrat asyncrat venom clients venomhvnc persistence rat spyware stealer

windows10-2004-x64

24 signatures

600 seconds

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

soon-lp.at.ply.gg:17209

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

arrowrat

Botnet

VenomHVNC

C2

soon-lp.at.ply.gg:17209

Mutex

vkrfeXWoz.exe

Targets

- Target
  
  Client2.exe
- Size
  
  63KB
- MD5
  
  40a63f050f41848d979fc88712d1fbf1
- SHA1
  
  0d155350fd579788f71dbf7e3f39c889bd37f50e
- SHA256
  
  33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01
- SHA512
  
  c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64
- SSDEEP
  
  1536:YhW5hc1kw0kVit8Q0v9Gbb3w+HRpGmDpqKmY7:YhW5hc1kWVHGbb3hHR9gz
Score

10^/10

arrowrat asyncrat venom clients venomhvnc persistence rat spyware stealer
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Modifies WinLogon for persistence
  persistence
- Async RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

ratvenom clientsasyncrat

behavioral1

arrowratasyncratvenom clientsvenomhvncpersistenceratspywarestealer

© 2018-2024

Terms | Privacy