arrowrat | 5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792 | Triage

Sharing

General

Target

7b2ec8aedfd42a95a5994dff19115471
Size

138KB
Sample

220803-qhsdtsbdg2
MD5

7b2ec8aedfd42a95a5994dff19115471
SHA1

f51aa65fc904272a1e344a57c436ba8632065b6c
SHA256

5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792
SHA512

1f5a313bf59129967db3e6f515edb364bde5c3d66c8cd67f27f79ff65cfdd8f982a68c3934e7574709ab71608c5d877d30f8ac8dc3986dd03523d8f6ad2caada
SSDEEP

3072:2bvik5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Y+:2bv5S7BqjjYHdrqkL/

Score

10^/10

arrowrat wq0csg persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

WQ0CSG

C2

Pandorace.ddnsgeek.com:1338

Mutex

XPL7P6

Targets

- Target
  
  7b2ec8aedfd42a95a5994dff19115471
- Size
  
  138KB
- MD5
  
  7b2ec8aedfd42a95a5994dff19115471
- SHA1
  
  f51aa65fc904272a1e344a57c436ba8632065b6c
- SHA256
  
  5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792
- SHA512
  
  1f5a313bf59129967db3e6f515edb364bde5c3d66c8cd67f27f79ff65cfdd8f982a68c3934e7574709ab71608c5d877d30f8ac8dc3986dd03523d8f6ad2caada
- SSDEEP
  
  3072:2bvik5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Y+:2bv5S7BqjjYHdrqkL/
Score

10^/10

arrowrat wq0csg persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratwq0csgpersistencerat

behavioral2

arrowratwq0csgpersistencerat