arrowrat | 76a23c2c0f53fd0360b8eb6b6204a46f011a59a4b9e66adc1507da50f8a45c38

General

Target

8573d9e75f2c0ef4e69023fc07bee9cb.exe
Size

91KB
MD5

8573d9e75f2c0ef4e69023fc07bee9cb
SHA1

4f3afbab31505056fd71f462bd52f98f3dd9f8ff
SHA256

e5d590f782337416fe7f93aa7f488419f86802500d05ef2fced4ccca7f4e14ae
SHA512

11bbaa8c41989d583ca1af59d8c51b80825634807dfcd8fc50f5e8d3190d224ca48139f70e10a2993b9ae1bca599ee0dd1422af5c716f5441c533c1dedef72e7
SSDEEP

1536:dbRiQM/57SK3bUzZdQ1iIMvnZlbLxjV3AGq5gWlocT1wzySsd9NJ33B:dbRE57SKsstcnZTJQDgWPaySsdH5x

Score

10^/10

arrowrat ty persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

TY

C2

91.134.207.23:5337

Mutex

DFDFrcvff45thfgh4t44gjahdfhhhhca

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
784	8573d9e75f2c0ef4e69023fc07bee9cb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: 33	1676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1676	AUDIODG.EXE
Token: 33	1676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1676	AUDIODG.EXE
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe
Token: SeShutdownPrivilege	2012	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe
2012	explorer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2012	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	26
PID 784 wrote to memory of 2012	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	26
PID 784 wrote to memory of 2012	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	26
PID 784 wrote to memory of 2012	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	26
PID 2012 wrote to memory of 936	2012	explorer.exe	28
PID 2012 wrote to memory of 936	2012	explorer.exe	28
PID 2012 wrote to memory of 936	2012	explorer.exe	28
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27
PID 784 wrote to memory of 1272	784	8573d9e75f2c0ef4e69023fc07bee9cb.exe	27

C:\Users\Admin\AppData\Local\Temp\8573d9e75f2c0ef4e69023fc07bee9cb.exe
"C:\Users\Admin\AppData\Local\Temp\8573d9e75f2c0ef4e69023fc07bee9cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\ctfmon.exe
    ctfmon.exe
    3⤵
    PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" TY 91.134.207.23 5337 DFDFrcvff45thfgh4t44gjahdfhhhhca
  2⤵
  PID:1272

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-54-0x0000000000CD0000-0x0000000000CEE000-memory.dmp

Filesize
120KB

Download
memory/1272-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1272-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing