Analysis Overview
SHA256
393c7e77b02c57fab99cc076e29bd439ca049cacdbd9f7511177aa3ffd8d9b01
Threat Level: Known bad
The file PANDORA HVNC Cracked.zip.zip was found to be: Known bad.
Malicious Activity Summary
ArrowRat
Arrowrat family
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 00:44
Signatures
Arrowrat family
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10-20240611-en
Max time kernel
372s
Max time network
1612s
Command Line
Signatures
ArrowRat
Processes
C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 199.232.210.172:80 | tcp | |
| US | 199.232.214.172:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
Files
memory/2848-0-0x00007FFF8BF33000-0x00007FFF8BF34000-memory.dmp
memory/2848-1-0x000001FA85230000-0x000001FA8525A000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10v2004-20240508-en
Max time kernel
1690s
Max time network
1700s
Command Line
Signatures
ArrowRat
Processes
C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2340-0-0x0000020499800000-0x000002049982A000-memory.dmp
memory/2340-1-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win11-20240508-en
Max time kernel
1737s
Max time network
1747s
Command Line
Signatures
ArrowRat
Processes
C:\Users\Admin\AppData\Local\Temp\client.exe
"C:\Users\Admin\AppData\Local\Temp\client.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/648-0-0x00007FFAD9D13000-0x00007FFAD9D15000-memory.dmp
memory/648-1-0x000001811F6C0000-0x000001811F6EA000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1596s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win11-20240611-en
Max time kernel
1483s
Max time network
1497s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 00:45
Platform
win10-20240404-en
Max time kernel
46s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe
"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"
Network
Files
memory/4904-0-0x0000000073A8E000-0x0000000073A8F000-memory.dmp
memory/4904-1-0x0000000000770000-0x0000000000B62000-memory.dmp
memory/4904-2-0x00000000058A0000-0x0000000005D9E000-memory.dmp
memory/4904-3-0x0000000005440000-0x00000000054D2000-memory.dmp
memory/4904-4-0x00000000053E0000-0x00000000053EA000-memory.dmp
memory/4904-5-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-6-0x0000000005DA0000-0x0000000005FC4000-memory.dmp
\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/4904-14-0x00000000724F0000-0x0000000072570000-memory.dmp
memory/4904-15-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-16-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-17-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-18-0x0000000073A8E000-0x0000000073A8F000-memory.dmp
memory/4904-19-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-20-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/4904-21-0x0000000073A80000-0x000000007416E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10v2004-20240508-en
Max time kernel
452s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win11-20240508-en
Max time kernel
452s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10v2004-20240508-en
Max time kernel
453s
Max time network
1173s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe
"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
Files
memory/1124-0-0x00000000746CE000-0x00000000746CF000-memory.dmp
memory/1124-1-0x0000000000F10000-0x0000000001302000-memory.dmp
memory/1124-2-0x00000000062D0000-0x0000000006874000-memory.dmp
memory/1124-3-0x0000000005D20000-0x0000000005DB2000-memory.dmp
memory/1124-4-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1124-5-0x0000000005EB0000-0x0000000005EBA000-memory.dmp
memory/1124-6-0x0000000006AB0000-0x0000000006CD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/1124-14-0x00000000730D0000-0x0000000073159000-memory.dmp
memory/1124-15-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1124-16-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1124-17-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/1124-18-0x00000000746C0000-0x0000000074E70000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win11-20240419-en
Max time kernel
600s
Max time network
1169s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe
"C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"
Network
Files
memory/3968-0-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/3968-1-0x0000000000C50000-0x0000000001042000-memory.dmp
memory/3968-2-0x0000000005EC0000-0x0000000006466000-memory.dmp
memory/3968-3-0x00000000059C0000-0x0000000005A52000-memory.dmp
memory/3968-4-0x00000000745D0000-0x0000000074D81000-memory.dmp
memory/3968-5-0x0000000005B60000-0x0000000005B6A000-memory.dmp
memory/3968-6-0x00000000066A0000-0x00000000068C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1a5fdae6-8f46-4b8b-a738-d6572f690d43\AgileDotNetRT.dll
| MD5 | 14ff402962ad21b78ae0b4c43cd1f194 |
| SHA1 | f8a510eb26666e875a5bdd1cadad40602763ad72 |
| SHA256 | fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b |
| SHA512 | daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b |
memory/3968-14-0x0000000072FD0000-0x000000007305A000-memory.dmp
memory/3968-15-0x00000000745D0000-0x0000000074D81000-memory.dmp
memory/3968-16-0x00000000745D0000-0x0000000074D81000-memory.dmp
memory/3968-17-0x00000000745D0000-0x0000000074D81000-memory.dmp
memory/3968-18-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/3968-19-0x00000000745D0000-0x0000000074D81000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10-20240404-en
Max time kernel
315s
Max time network
1596s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-29 00:44
Reported
2024-06-29 01:14
Platform
win10v2004-20240226-en
Max time kernel
1793s
Max time network
1802s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dnlib.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3356 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 95.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |