arrowrat | 6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051 | Triage

Submit
Reports

Overview

overview

Static

static

ClientH.exe

windows7-x64

ClientH.exe

windows10-2004-x64

Sharing

General

Target

ClientH.exe
Size

90KB
Sample

230718-mylz7sad7v
MD5

5ac5cf4a09a5c6dfd82669a0e24f675d
SHA1

4f0993bfd2245da594000bb7c2d2bd7d02b60d53
SHA256

6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051
SHA512

e0317cf9a5a495f5e90a88f4a96517626a30c016b7374db41bc79a8bcb0920fcf7691ca3cf48c712b8bc2db075d734ca7cacc771e8f604297600187afe314d3f
SSDEEP

1536:dbRiQMB57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33a:dbRO57SKsstcnZTJQDgWPaySsdH5K

Score

10^/10

arrowrat venomhvnc persistence rat

Static task

static1

venomhvnc arrowrat

2 signatures

Behavioral task

behavioral1

Sample

ClientH.exe

Resource

win7-20230712-en

arrowrat venomhvnc persistence rat

windows7-x64

15 signatures

1800 seconds

Behavioral task

behavioral2

Sample

ClientH.exe

Resource

win10v2004-20230703-en

arrowrat venomhvnc persistence rat

windows10-2004-x64

15 signatures

1800 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

VenomHVNC

C2

wasted9sss1-57562.portmap.host:57562

Mutex

uSzDNutNI.exe

Targets

- Target
  
  ClientH.exe
- Size
  
  90KB
- MD5
  
  5ac5cf4a09a5c6dfd82669a0e24f675d
- SHA1
  
  4f0993bfd2245da594000bb7c2d2bd7d02b60d53
- SHA256
  
  6136b0b9b28b52962f090cdf34ac650c4b184f3a65e863e2051cdc1219aff051
- SHA512
  
  e0317cf9a5a495f5e90a88f4a96517626a30c016b7374db41bc79a8bcb0920fcf7691ca3cf48c712b8bc2db075d734ca7cacc771e8f604297600187afe314d3f
- SSDEEP
  
  1536:dbRiQMB57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33a:dbRO57SKsstcnZTJQDgWPaySsdH5K
Score

10^/10

arrowrat venomhvnc persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

venomhvncarrowrat

behavioral1

arrowratvenomhvncpersistencerat

behavioral2

arrowratvenomhvncpersistencerat

© 2018-2024

Terms | Privacy