arrowrat | b20df532e15674feb9da8728664caa14c6447f4473f2d64f6052de6af0737b3f

Analysis

max time kernel
142s
max time network
45s
platform
windows7_x64
resource
win7-20220718-en
submitted
09-08-2022 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4952a2b2bd5b557db6798946e03b8264.exe
Size

158KB
MD5

4952a2b2bd5b557db6798946e03b8264
SHA1

80689d4742b237456dbaf2f5129a9452d18a02b4
SHA256

b20df532e15674feb9da8728664caa14c6447f4473f2d64f6052de6af0737b3f
SHA512

363178c39a43c7048a264a9d6aa0f64bc25a3b4ab752dd411dac40eef4acdec309d11ade25c6ae3e3ef50398d35ac36cecc302582ace0fd2b34b471e1f0b0bcd
SSDEEP

3072:VbRJ+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPl8a8Y:VbR80ODhTEPgnjuIJzo+PPcfPt8

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.59.119.25:1337

Mutex

SBAyMWVxF

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe
1604	4952a2b2bd5b557db6798946e03b8264.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	4952a2b2bd5b557db6798946e03b8264.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: 33	1200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1200	AUDIODG.EXE
Token: 33	1200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1200	AUDIODG.EXE
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe
Token: SeShutdownPrivilege	1336	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe
1336	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1604	4952a2b2bd5b557db6798946e03b8264.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1336	1604	4952a2b2bd5b557db6798946e03b8264.exe	28
PID 1604 wrote to memory of 1336	1604	4952a2b2bd5b557db6798946e03b8264.exe	28
PID 1604 wrote to memory of 1336	1604	4952a2b2bd5b557db6798946e03b8264.exe	28
PID 1336 wrote to memory of 1224	1336	explorer.exe	29
PID 1336 wrote to memory of 1224	1336	explorer.exe	29
PID 1336 wrote to memory of 1224	1336	explorer.exe	29
PID 1604 wrote to memory of 1332	1604	4952a2b2bd5b557db6798946e03b8264.exe	30
PID 1604 wrote to memory of 1332	1604	4952a2b2bd5b557db6798946e03b8264.exe	30
PID 1604 wrote to memory of 1332	1604	4952a2b2bd5b557db6798946e03b8264.exe	30
PID 1604 wrote to memory of 1332	1604	4952a2b2bd5b557db6798946e03b8264.exe	30
PID 1604 wrote to memory of 272	1604	4952a2b2bd5b557db6798946e03b8264.exe	31
PID 1604 wrote to memory of 272	1604	4952a2b2bd5b557db6798946e03b8264.exe	31
PID 1604 wrote to memory of 272	1604	4952a2b2bd5b557db6798946e03b8264.exe	31
PID 1604 wrote to memory of 272	1604	4952a2b2bd5b557db6798946e03b8264.exe	31
PID 1604 wrote to memory of 1912	1604	4952a2b2bd5b557db6798946e03b8264.exe	32
PID 1604 wrote to memory of 1912	1604	4952a2b2bd5b557db6798946e03b8264.exe	32
PID 1604 wrote to memory of 1912	1604	4952a2b2bd5b557db6798946e03b8264.exe	32
PID 1604 wrote to memory of 1912	1604	4952a2b2bd5b557db6798946e03b8264.exe	32
PID 1604 wrote to memory of 1924	1604	4952a2b2bd5b557db6798946e03b8264.exe	33
PID 1604 wrote to memory of 1924	1604	4952a2b2bd5b557db6798946e03b8264.exe	33
PID 1604 wrote to memory of 1924	1604	4952a2b2bd5b557db6798946e03b8264.exe	33
PID 1604 wrote to memory of 1924	1604	4952a2b2bd5b557db6798946e03b8264.exe	33
PID 1604 wrote to memory of 756	1604	4952a2b2bd5b557db6798946e03b8264.exe	34
PID 1604 wrote to memory of 756	1604	4952a2b2bd5b557db6798946e03b8264.exe	34
PID 1604 wrote to memory of 756	1604	4952a2b2bd5b557db6798946e03b8264.exe	34
PID 1604 wrote to memory of 756	1604	4952a2b2bd5b557db6798946e03b8264.exe	34
PID 1604 wrote to memory of 468	1604	4952a2b2bd5b557db6798946e03b8264.exe	35
PID 1604 wrote to memory of 468	1604	4952a2b2bd5b557db6798946e03b8264.exe	35
PID 1604 wrote to memory of 468	1604	4952a2b2bd5b557db6798946e03b8264.exe	35
PID 1604 wrote to memory of 468	1604	4952a2b2bd5b557db6798946e03b8264.exe	35
PID 1604 wrote to memory of 648	1604	4952a2b2bd5b557db6798946e03b8264.exe	36
PID 1604 wrote to memory of 648	1604	4952a2b2bd5b557db6798946e03b8264.exe	36
PID 1604 wrote to memory of 648	1604	4952a2b2bd5b557db6798946e03b8264.exe	36
PID 1604 wrote to memory of 648	1604	4952a2b2bd5b557db6798946e03b8264.exe	36
PID 1604 wrote to memory of 1168	1604	4952a2b2bd5b557db6798946e03b8264.exe	37
PID 1604 wrote to memory of 1168	1604	4952a2b2bd5b557db6798946e03b8264.exe	37
PID 1604 wrote to memory of 1168	1604	4952a2b2bd5b557db6798946e03b8264.exe	37
PID 1604 wrote to memory of 1168	1604	4952a2b2bd5b557db6798946e03b8264.exe	37
PID 1604 wrote to memory of 1164	1604	4952a2b2bd5b557db6798946e03b8264.exe	38
PID 1604 wrote to memory of 1164	1604	4952a2b2bd5b557db6798946e03b8264.exe	38
PID 1604 wrote to memory of 1164	1604	4952a2b2bd5b557db6798946e03b8264.exe	38
PID 1604 wrote to memory of 1164	1604	4952a2b2bd5b557db6798946e03b8264.exe	38
PID 1604 wrote to memory of 1796	1604	4952a2b2bd5b557db6798946e03b8264.exe	39
PID 1604 wrote to memory of 1796	1604	4952a2b2bd5b557db6798946e03b8264.exe	39
PID 1604 wrote to memory of 1796	1604	4952a2b2bd5b557db6798946e03b8264.exe	39
PID 1604 wrote to memory of 1796	1604	4952a2b2bd5b557db6798946e03b8264.exe	39

C:\Users\Admin\AppData\Local\Temp\4952a2b2bd5b557db6798946e03b8264.exe
"C:\Users\Admin\AppData\Local\Temp\4952a2b2bd5b557db6798946e03b8264.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.59.119.25 1337 SBAyMWVxF
  2⤵
  PID:1796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-56-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmp

Filesize
8KB

Download
memory/1336-58-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/1604-54-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download