arrowrat | e5d590f782337416fe7f93aa7f488419f86802500d05ef2fced4ccca7f4e14ae

General

Target

8573d9e75f2c0ef4e69023fc07bee9cb.exe
Size

91KB
MD5

8573d9e75f2c0ef4e69023fc07bee9cb
SHA1

4f3afbab31505056fd71f462bd52f98f3dd9f8ff
SHA256

e5d590f782337416fe7f93aa7f488419f86802500d05ef2fced4ccca7f4e14ae
SHA512

11bbaa8c41989d583ca1af59d8c51b80825634807dfcd8fc50f5e8d3190d224ca48139f70e10a2993b9ae1bca599ee0dd1422af5c716f5441c533c1dedef72e7
SSDEEP

1536:dbRiQM/57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33B:dbRE57SKsstcnZTJQDgWPaySsdH5x

Score

10^/10

arrowrat ty persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

TY

C2

91.134.207.23:5337

Mutex

DFDFrcvff45thfgh4t44gjahdfhhhhca

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
988	8573d9e75f2c0ef4e69023fc07bee9cb.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: 33	1884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1884	AUDIODG.EXE
Token: 33	1884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1884	AUDIODG.EXE
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe
Token: SeShutdownPrivilege	1868	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1868	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 988 wrote to memory of 1868	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 988 wrote to memory of 1868	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 988 wrote to memory of 1868	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 1868 wrote to memory of 1980	1868	explorer.exe	29
PID 1868 wrote to memory of 1980	1868	explorer.exe	29
PID 1868 wrote to memory of 1980	1868	explorer.exe	29
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28
PID 988 wrote to memory of 1184	988	8573d9e75f2c0ef4e69023fc07bee9cb.exe	28

C:\Users\Admin\AppData\Local\Temp\8573d9e75f2c0ef4e69023fc07bee9cb.exe
"C:\Users\Admin\AppData\Local\Temp\8573d9e75f2c0ef4e69023fc07bee9cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" TY 91.134.207.23 5337 DFDFrcvff45thfgh4t44gjahdfhhhhca
  2⤵
  PID:1184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-54-0x0000000000140000-0x000000000015E000-memory.dmp

Filesize
120KB

Download
memory/988-55-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1184-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1184-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1868-57-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1868-71-0x00000000025A0000-0x00000000025B0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing