arrowrat | 04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd | Triage

Resubmissions

04/03/2025, 22:10

250304-13blxssvex 10

04/03/2025, 22:03

250304-1yc9yssshx 10

Sharing

General

Target

PandorahVNC 1.8.6 Fixed.rar
Size

26.2MB
Sample

250304-1yc9yssshx
MD5

93e38c285d4703b75890c99dd30f72cb
SHA1

77e353c82b805d1d55fdb16a4c559e876ff9d3e6
SHA256

04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd
SHA512

8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2
SSDEEP

786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7

Score

10^/10

arrowrat #groupname#client discovery execution persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

80.76.49.15:1112

127.0.0.1:1337

Mutex

System

Extracted

Family

arrowrat

Botnet

#GroupName#

C2

#IP#:#PORT#

Mutex

#Mutex#

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1

Targets

- Target
  
  PandorahVNC 1.8.6 Fixed.rar
- Size
  
  26.2MB
- MD5
  
  93e38c285d4703b75890c99dd30f72cb
- SHA1
  
  77e353c82b805d1d55fdb16a4c559e876ff9d3e6
- SHA256
  
  04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd
- SHA512
  
  8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2
- SSDEEP
  
  786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7
Score

10^/10

arrowrat #groupname#client discovery execution persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Arrowrat family
  arrowrat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Active Setup

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

client#groupname#arrowrat

behavioral1

arrowrat#groupname#clientdiscoveryexecutionpersistencerat