arrowrat | bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 22:19

Target

bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe
Size

495KB
MD5

f617dc0ef20d4e72ffd6bc77dd369015
SHA1

0d42af92a721dfb973da334263db1171924cb7b6
SHA256

bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7
SHA512

0b39e90dadf556df5a74e8eb1cc1ebd5b2263a3f3e42d9430bb61446aac2df8beced2df3f00840d92ed05954c90043cce80d3a0c58a9d804136c057bbffee08c
SSDEEP

12288:2iT5fZPOxHPJHAVwGoh7tfw1h8BvgcNW9eoRmotAG8TJ1k:2iT5fZwxHigBfw1h8KcPemotm

Score

10^/10

arrowrat rat

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 988 set thread context of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27
PID 988 wrote to memory of 940	988	bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe	27

C:\Users\Admin\AppData\Local\Temp\bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe
"C:\Users\Admin\AppData\Local\Temp\bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe
  C:\Users\Admin\AppData\Local\Temp\bd26b88c1d59a173c2d183fa24b40d5452685a4686d52acab8f6d1f6b8a1f2d7.exe
  2⤵
  PID:940

memory/940-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/940-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/940-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/988-54-0x00000000000E0000-0x0000000000162000-memory.dmp

Filesize
520KB

Download
memory/988-55-0x0000000006C90000-0x0000000006DBE000-memory.dmp

Filesize
1.2MB

Download
memory/988-56-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/988-57-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download