General

  • Target

    b766c8001cc928c65188a80a149d8eb11c59178b68cee4437659e67d2f02c402.exe

  • Size

    138KB

  • Sample

    240925-cvt7assekb

  • MD5

    6787bc47fb117dd9ee565060bf696218

  • SHA1

    e11600ca6afb97abbb9c42f1ded0d6afc6daef12

  • SHA256

    b766c8001cc928c65188a80a149d8eb11c59178b68cee4437659e67d2f02c402

  • SHA512

    506c26e3803d30983b8b4e925d5e78e3e27c953d708d5f1fbdbf79a0d2a23d2c299e7021e33c2feccba1de57e1de9ac1b3c6ad5e89bd0e67fdf617ad509105f4

  • SSDEEP

    3072:qbvc5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YS:qbvUS7BqjjYHdrqkL/

Malware Config

Extracted

Family

arrowrat

Botnet

VenomHVNC

C2

84.17.59.86:10018

Mutex

IDgbBCwxP

Targets

    • Target

      b766c8001cc928c65188a80a149d8eb11c59178b68cee4437659e67d2f02c402.exe

    • Size

      138KB

    • MD5

      6787bc47fb117dd9ee565060bf696218

    • SHA1

      e11600ca6afb97abbb9c42f1ded0d6afc6daef12

    • SHA256

      b766c8001cc928c65188a80a149d8eb11c59178b68cee4437659e67d2f02c402

    • SHA512

      506c26e3803d30983b8b4e925d5e78e3e27c953d708d5f1fbdbf79a0d2a23d2c299e7021e33c2feccba1de57e1de9ac1b3c6ad5e89bd0e67fdf617ad509105f4

    • SSDEEP

      3072:qbvc5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YS:qbvUS7BqjjYHdrqkL/

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks