arrowrat | 04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd | Triage

Submit
Reports

Overview

overview

Static

static

PandorahVN...ed.rar

windows11-21h2-x64

Resubmissions

04/03/2025, 22:10

250304-13blxssvex 10

04/03/2025, 22:03

250304-1yc9yssshx 10

Sharing

General

Target

PandorahVNC 1.8.6 Fixed.rar
Size

26.2MB
Sample

250304-13blxssvex
MD5

93e38c285d4703b75890c99dd30f72cb
SHA1

77e353c82b805d1d55fdb16a4c559e876ff9d3e6
SHA256

04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd
SHA512

8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2
SSDEEP

786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7

Score

10^/10

arrowrat #groupname#client discovery execution persistence rat

Static task

static1

client #groupname#arrowrat

2 signatures

Behavioral task

behavioral1

Sample

PandorahVNC 1.8.6 Fixed.rar

Resource

win11-20250217-en

arrowrat #groupname#client discovery execution persistence rat

windows11-21h2-x64

27 signatures

900 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

80.76.49.15:1112

127.0.0.1:1337

Mutex

System

Extracted

Family

arrowrat

Botnet

#GroupName#

C2

#IP#:#PORT#

Mutex

#Mutex#

Targets

- Target
  
  PandorahVNC 1.8.6 Fixed.rar
- Size
  
  26.2MB
- MD5
  
  93e38c285d4703b75890c99dd30f72cb
- SHA1
  
  77e353c82b805d1d55fdb16a4c559e876ff9d3e6
- SHA256
  
  04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd
- SHA512
  
  8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2
- SSDEEP
  
  786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7
Score

10^/10

arrowrat #groupname#client discovery execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Modifies WinLogon for persistence
  persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

client#groupname#arrowrat

behavioral1

arrowrat#groupname#clientdiscoveryexecutionpersistencerat

© 2018-2025

Terms | Privacy