arrowrat | 0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd | Triage

Sharing

General

Target

hvnc.exe
Size

138KB
Sample

220426-wdz6rshdem
MD5

bb434c347ca1709e54bee1a5d9a5757e
SHA1

844b1f01f53eb6e8f8934880fa7f8994c4245dd4
SHA256

0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd
SHA512

46b87c83ce85d44b152a5921b76f65af19fc93896bc8557b979c72ffdbaef3b21245f1c8aea75a5bd2125bc8df7485f2bcaf98d8b7ee0785c8c1496d08a571be
SSDEEP

3072:PbvG5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yt:PbviS7BqjjYHdrqkL/

Score

10^/10

arrowrat krck1r persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

KRCK1R

C2

185.183.35.38:1338

Mutex

4IA671

Targets

- Target
  
  hvnc.exe
- Size
  
  138KB
- MD5
  
  bb434c347ca1709e54bee1a5d9a5757e
- SHA1
  
  844b1f01f53eb6e8f8934880fa7f8994c4245dd4
- SHA256
  
  0caa17db0c1d695ce4e5bc3f3fc7c9c2e7f96e489108e0303b81fa45efcf92bd
- SHA512
  
  46b87c83ce85d44b152a5921b76f65af19fc93896bc8557b979c72ffdbaef3b21245f1c8aea75a5bd2125bc8df7485f2bcaf98d8b7ee0785c8c1496d08a571be
- SSDEEP
  
  3072:PbvG5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yt:PbviS7BqjjYHdrqkL/
Score

10^/10

arrowrat krck1r persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

arrowratkrck1rpersistencerat

behavioral2

arrowratkrck1rpersistencerat