arrowrat

General

Target

vnm.rar
Size

23.4MB
Sample

230730-xmef4aba36
MD5

79cde4eb0611e953c787ab71bbf81321
SHA1

1aee8bd8458b72dcebbea42d0b49957646e04d31
SHA256

f464d1eca16652727a68d9ba70a7760e992063907b2d9b3889d9accf0d0dc9ae
SHA512

2adad93a9a67e8c4410f1bf2ee492c760977ea755dd6db1df8cbfd1a3d52bf84a4bf7820c3f44400c5983596b27254f13732305084aeaf1659fb186ad3719528
SSDEEP

393216:fnZXJZg93FXKyK8mU3lFUpAezyz2144atwOWgE8kbENJ9IFrUCRcVDRcicD0r:f1gRF6yK89Fng9atwO9Eg39WR6RBRr

Score

10^/10

arrowrat asyncrat %group%ctovnm agilenet persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

%Group%

C2

%Hosts%:%Ports%

Mutex

%MTX%

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

ctovnm

C2

85.31.45.6:4444

Mutex

OWAsgnAMn

Attributes

delay
0
install
true
install_file
VenomStartup.exe
install_folder
%AppData%

aes.plain

Targets

- Target
  
  vnm/7z.exe
- Size
  
  436KB
- MD5
  
  3e797119e0fd64297cb82794b8d68edd
- SHA1
  
  a67d3b35743f6ca383673a3848b8c97ec164cc0d
- SHA256
  
  c7245e21a7553d9e52d434002a401c77a7ca7d0f245f2311b0ddf16f8f946c6f
- SHA512
  
  1378c54a3a1c5bd73c04e787d218f245024625003d689379013f1343c7f9e6282d670c3d68edce6006629ca90cddd27ac3f53f640f96c4936bbff319658caef8
- SSDEEP
  
  12288:4DRHJamC1E+3ZZ4jjEKDywIYCsdtpu7Cdw:ghF+3ZZ4lRk7h
Score

1^/10
behavioral1
- Target
  
  vnm/Plugins/Keylogger.exe
- Size
  
  10KB
- MD5
  
  4f846f2117c4eab285289b0090521b1e
- SHA1
  
  e25287c39bad32159417c5f0bf798625b6beff45
- SHA256
  
  a17a5bf35d8b784c3111632ba7e0c30a2c1a9c2c95b549235affc16d6d055477
- SHA512
  
  fd946b5f7c3c7d32f226897283de7ba3b4a4ecc2919c363877f1258cd24ed1a52bce53af2fe4ef34c4ac30d00fc456fd4e1593b79c37f7c22211f2c4f6092e5e
- SSDEEP
  
  192:irtmcuq65SoDxi4maEYbRzmEsLkjgv5JHT1eJYHcwY7fazB+LEi:irtlF60GE9rUhVsLF5p1rYydmE
Score

1^/10
behavioral2
- Target
  
  vnm/Stub/Client.exe
- Size
  
  63KB
- MD5
  
  6158c0682f86511060619bba0fe864be
- SHA1
  
  63a1738c87ba9449b1d572ee470da2b242742643
- SHA256
  
  5bf4fc2c4d3115229d60511cad1af48019a4c291ad6144e73393e88e319f80a5
- SHA512
  
  baef40b589d8717f419185ad0885173f790394827d72d78520890ae737c7ee1cebe3af062340847cfe705c223669562e7116f48ab11d59654653a0b269026bd1
- SSDEEP
  
  1536:8WP+BbY58krxvI0TTCNsOoIK7q6LgRAIM8pqKmY7:8WP+BbY5xrxvI0Z7P8R8Xz
Score

10^/10

asyncrat rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
behavioral3
- Target
  
  vnm/Stub/client
- Size
  
  144KB
- MD5
  
  f4fdcb900e7af47100ac9e46945fbd55
- SHA1
  
  c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2
- SHA256
  
  9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43
- SHA512
  
  236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2
- SSDEEP
  
  3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH
Score

10^/10

arrowrat asyncrat %group%persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral4
- Target
  
  vnm/VenomRAT_HVNC.exe
- Size
  
  16.8MB
- MD5
  
  d8291744ad4573fbc0c2f82b1ada7bec
- SHA1
  
  94960ccdc763248cb03e29d3f7b5ac5e20c7c501
- SHA256
  
  69821fd27dd83d225fc21c799b8223d416985ad4a3bb5e78586b6d319e77f351
- SHA512
  
  30f2110a990a541bc64b065b9615581356bdd682765e813d9b0bf32d68cd7dd559498a4e719085b514b7258380681eb7d1789ce2879973f45e18c2050b1266ce
- SSDEEP
  
  393216:0nu7cCgkszHR7G6lrbkDlyoB+Lj19TRA282+yKGoAZGPcFl:0rDhG61qyoBY7q282+JPA4E
Score

10^/10

asyncrat ctovnm rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral5
- Target
  
  vnm/client.bin
- Size
  
  144KB
- MD5
  
  f4fdcb900e7af47100ac9e46945fbd55
- SHA1
  
  c1d235a9a2cae8d5a8d4f6ceb4eab9417e1b1fb2
- SHA256
  
  9160b90fa4a6a9cf22f943dba92cec64e2dc03c2317b5d9ab50a753fc410ce43
- SHA512
  
  236eef98d4695a5e1224a87a1dc598639e5c49f6dd192a96cc1b9f8305faa57078deb62d73906a33ba1c1fac4fa5ccc5f344a0f196dbba718b76a36667984ac2
- SSDEEP
  
  3072:Bsp9iv+DYM5ob0HGNSKsstcnZTJQDgWPaySsdH5boWz:Op9iTMSb0mgKFcQjhdH
Score

10^/10

arrowrat asyncrat %group%persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Async RAT payload
  rat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral6