arrowrat | 3da90ba538cd2589d4018e15b760db3c508d6ffbb7032e3a66789a4c9d09c7b2 | Triage

Submit
Reports

Overview

overview

Static

static

d.vbs

windows7-x64

3

d.vbs

windows10-2004-x64

Resubmissions

31-08-2022 12:55

220831-p6am9agbe2 10

19-08-2022 17:19

220819-vwbqfsgcdj 10

Sharing

General

Target

d.vbs
Size

816KB
Sample

220819-vwbqfsgcdj
MD5

2af5abb6db76b3f1872d568880aced94
SHA1

1e47fb1ba30452f72db8f71fe8dde5a7ad5c1f2c
SHA256

3da90ba538cd2589d4018e15b760db3c508d6ffbb7032e3a66789a4c9d09c7b2
SHA512

ba2e899b365b637547301e2402f16f686badb3f182456dc9c552d1e25eb5a6ca6fa9d75cfe9e260f6ba0edba608daf7dee516cc58c659b8b4844388b330889d2
SSDEEP

6144:nfBfcfYfBfcfhfKfzfffBfcfYfBfcfhfKfqfBfcfYfBfcfhfKfdfBfcfYfBfcfht:r

Score

10^/10

arrowrat fsocity persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

d.vbs

Resource

win7-20220812-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

d.vbs

Resource

win10v2004-20220812-en

arrowrat fsocity persistence rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
185.27.133.14
Port:
21
Username:
[email protected]
Password:
Rfg250583

Extracted

Family

arrowrat

Botnet

Fsocity

C2

104.41.172.235:9091

Mutex

YzpcKpvwT.exe

Targets

- Target
  
  d.vbs
- Size
  
  816KB
- MD5
  
  2af5abb6db76b3f1872d568880aced94
- SHA1
  
  1e47fb1ba30452f72db8f71fe8dde5a7ad5c1f2c
- SHA256
  
  3da90ba538cd2589d4018e15b760db3c508d6ffbb7032e3a66789a4c9d09c7b2
- SHA512
  
  ba2e899b365b637547301e2402f16f686badb3f182456dc9c552d1e25eb5a6ca6fa9d75cfe9e260f6ba0edba608daf7dee516cc58c659b8b4844388b330889d2
- SSDEEP
  
  6144:nfBfcfYfBfcfhfKfzfffBfcfYfBfcfhfKfqfBfcfYfBfcfhfKfdfBfcfYfBfcfht:r
Score

10^/10

arrowrat fsocity persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Blocklisted process makes network request
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

arrowratfsocitypersistencerat

© 2018-2025

Terms | Privacy