Malware Analysis Report

2024-10-10 10:38

Sample ID 240629-a3p67szdjm
Target PANDORA HVNC Cracked.zip.zip
SHA256 393c7e77b02c57fab99cc076e29bd439ca049cacdbd9f7511177aa3ffd8d9b01
Tags
arrowrat identifier rat agilenet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

393c7e77b02c57fab99cc076e29bd439ca049cacdbd9f7511177aa3ffd8d9b01

Threat Level: Known bad

The file PANDORA HVNC Cracked.zip.zip was found to be: Known bad.

Malicious Activity Summary

arrowrat identifier rat agilenet

ArrowRat

Arrowrat family

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-29 00:44

Signatures

Arrowrat family

arrowrat

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10-20240611-en

Max time kernel

372s

Max time network

1612s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Network

Country Destination Domain Proto
US 199.232.210.172:80 tcp
US 199.232.214.172:80 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp

Files

memory/2848-0-0x00007FFF8BF33000-0x00007FFF8BF34000-memory.dmp

memory/2848-1-0x000001FA85230000-0x000001FA8525A000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10v2004-20240508-en

Max time kernel

1690s

Max time network

1700s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2340-0-0x0000020499800000-0x000002049982A000-memory.dmp

memory/2340-1-0x00007FFECB833000-0x00007FFECB835000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win11-20240508-en

Max time kernel

1737s

Max time network

1747s

Command Line

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\client.exe

"C:\Users\Admin\AppData\Local\Temp\client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/648-0-0x00007FFAD9D13000-0x00007FFAD9D15000-memory.dmp

memory/648-1-0x000001811F6C0000-0x000001811F6EA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1596s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win11-20240611-en

Max time kernel

1483s

Max time network

1497s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 00:45

Platform

win10-20240404-en

Max time kernel

46s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Network

N/A

Files

memory/4904-0-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

memory/4904-1-0x0000000000770000-0x0000000000B62000-memory.dmp

memory/4904-2-0x00000000058A0000-0x0000000005D9E000-memory.dmp

memory/4904-3-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/4904-4-0x00000000053E0000-0x00000000053EA000-memory.dmp

memory/4904-5-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-6-0x0000000005DA0000-0x0000000005FC4000-memory.dmp

\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/4904-14-0x00000000724F0000-0x0000000072570000-memory.dmp

memory/4904-15-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-16-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-17-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-18-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

memory/4904-19-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-20-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/4904-21-0x0000000073A80000-0x000000007416E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10v2004-20240508-en

Max time kernel

452s

Max time network

1172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win11-20240508-en

Max time kernel

452s

Max time network

1173s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10v2004-20240508-en

Max time kernel

453s

Max time network

1173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 131.83.221.88.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp

Files

memory/1124-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/1124-1-0x0000000000F10000-0x0000000001302000-memory.dmp

memory/1124-2-0x00000000062D0000-0x0000000006874000-memory.dmp

memory/1124-3-0x0000000005D20000-0x0000000005DB2000-memory.dmp

memory/1124-4-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1124-5-0x0000000005EB0000-0x0000000005EBA000-memory.dmp

memory/1124-6-0x0000000006AB0000-0x0000000006CD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/1124-14-0x00000000730D0000-0x0000000073159000-memory.dmp

memory/1124-15-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1124-16-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1124-17-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1124-18-0x00000000746C0000-0x0000000074E70000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win11-20240419-en

Max time kernel

600s

Max time network

1169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"

Network

Files

memory/3968-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/3968-1-0x0000000000C50000-0x0000000001042000-memory.dmp

memory/3968-2-0x0000000005EC0000-0x0000000006466000-memory.dmp

memory/3968-3-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/3968-4-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/3968-5-0x0000000005B60000-0x0000000005B6A000-memory.dmp

memory/3968-6-0x00000000066A0000-0x00000000068C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll

MD5 14ff402962ad21b78ae0b4c43cd1f194
SHA1 f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256 fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512 daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

memory/3968-14-0x0000000072FD0000-0x000000007305A000-memory.dmp

memory/3968-15-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/3968-16-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/3968-17-0x00000000745D0000-0x0000000074D81000-memory.dmp

memory/3968-18-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/3968-19-0x00000000745D0000-0x0000000074D81000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10-20240404-en

Max time kernel

315s

Max time network

1596s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.192.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-29 00:44

Reported

2024-06-29 01:14

Platform

win10v2004-20240226-en

Max time kernel

1793s

Max time network

1802s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3356 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 95.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A