arrowrat | ecff5e9fc6e4fc922ae7c0a4d111350b4625edb6755209101aa7152732b28f0b | Triage

Sharing

General

Target

file
Size

281KB
Sample

220822-skleeaheck
MD5

e005c377c3afa1c769c875439bbf1aec
SHA1

e3b472abcae46c5da33e04d94ede7f6ffb082863
SHA256

ecff5e9fc6e4fc922ae7c0a4d111350b4625edb6755209101aa7152732b28f0b
SHA512

010a4db5181598bc0a0a1f7d721948c16f4a815037c2710bd59b59013b67b81a0f1532b5e97ffd5edc52c2e49fdf1cda2a85b20a625bcce51f8c91b9598ccbd2
SSDEEP

3072:dpe4U1Moa3KqxO8fjzF37I3w7kEMnkxrkGf7Nn0gDYZXgZtc181VZtYABwDTw8qg:dpe4U8xO8V7eTiDMkZ9SN2fL62

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

20.100.171.81:1337

Mutex

XWIEUOzKz

Targets

- Target
  
  file
- Size
  
  281KB
- MD5
  
  e005c377c3afa1c769c875439bbf1aec
- SHA1
  
  e3b472abcae46c5da33e04d94ede7f6ffb082863
- SHA256
  
  ecff5e9fc6e4fc922ae7c0a4d111350b4625edb6755209101aa7152732b28f0b
- SHA512
  
  010a4db5181598bc0a0a1f7d721948c16f4a815037c2710bd59b59013b67b81a0f1532b5e97ffd5edc52c2e49fdf1cda2a85b20a625bcce51f8c91b9598ccbd2
- SSDEEP
  
  3072:dpe4U1Moa3KqxO8fjzF37I3w7kEMnkxrkGf7Nn0gDYZXgZtc181VZtYABwDTw8qg:dpe4U8xO8V7eTiDMkZ9SN2fL62
Score

10^/10

arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

arrowratclientpersistencerat