arrowrat

Sharing

Copy URL

Twitter E-mail

General

Target

New WinRAR ZIP archive.zip
Size

23.3MB
Sample

230210-zqqdwacf47
MD5

061875ef25c5aae8f11daa282b89e2a5
SHA1

3e281c48ae8f10761ff2ec0d8735e615b315e796
SHA256

ef06baf5e993b383ff6606608bf3ead3fb66748017fd4e1ca97acb25f08c70eb
SHA512

237197e7f99636ee0e4c4b7312c8f92a93d4bbf5c0f4ebfa91ae2f39d2611d6ad81b7e4a0c742d91b0141a37befadd11cc382b0b7ab0aa21d8d6bb90ecf6f49a
SSDEEP

393216:fiKIT1+eg8gucGB7m2m9UujapA0zhIzKGaItvd0TPY1lHcYxc/U4Pl51Zb2iM/Ia:fiKIh+egO1mXFO3tIzK6eDImYxc/U4fu

Score

10^/10

Malware Config

Extracted

Family

arrowrat

Botnet

identifier

IP:PORT

Mutex

mutex

Targets

- Target
  
  Anarchy.exe
- Size
  
  21.7MB
- MD5
  
  e1529d37d996a81e4ff2dd1405773142
- SHA1
  
  a45b00ed2f8e7454b1a43e95395352092dce0aa8
- SHA256
  
  667fe2c8be172e7b07d9a14e34a1d4e9e072846a6be3406f9c6dbe71acf14c6a
- SHA512
  
  b397e6eebe065e9c17954f4de1ca15efd0ff6ac1ec43f1970863ed8f3380f402c71e9a265f222de0008c670b8595c48cb8c85ec759d7434c57f1e220cc2b01e6
- SSDEEP
  
  393216:wliZ1LmZ+I1cby9YN/XQDK153xVu7vHhqBa4Cs:wIZ1vKHsfQDK1pHCpqBa4C
Score

10^/10

agilenet evasion themida trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Anarchy.exe.config
- Size
  
  530B
- MD5
  
  c7a4606f8f222fc96e1e6b08c093794b
- SHA1
  
  2700b3727ab01d93e75e1e12f308dcaeb1d37dba
- SHA256
  
  32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
- SHA512
  
  7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b
Score

1^/10
behavioral3 behavioral4
- Target
  
  Plugins/0guo3zbo66fqoG.dll
- Size
  
  78KB
- MD5
  
  e4ebcf76ff80ef398d3ab77d577f4c08
- SHA1
  
  cb9e6b30a63d50ae87610f6855b64abfb25691d2
- SHA256
  
  9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5
- SHA512
  
  8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01
- SSDEEP
  
  1536:+gqK9OLThWUkwSOykrJROOwj5vCSnVcnwwxu8NMsuS73O4VKid/:1OBX/xFwj5vCSnSwwjNH3O4xd
Score

1^/10
behavioral5 behavioral6
- Target
  
  Plugins/59Zp7paEHDF7luJ.dll
- Size
  
  4.0MB
- MD5
  
  15e3d44d37439f3ac8574ac1c9789ec2
- SHA1
  
  bb3ef30e9f4496198f412738579966210ade36e0
- SHA256
  
  5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5
- SHA512
  
  ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1
- SSDEEP
  
  24576:L2RBtpr5ljLyeVKbed1BeaPc9oFf/V5V4IeDHRbtg58jVh6zBRkM8eJkhjpSLZFb:L2jXr5ZtVKYzX/LV4k58M8eJkhj
Score

1^/10
behavioral7 behavioral8
- Target
  
  Plugins/9Ood5SWkbwPn.AnarHs
- Size
  
  138KB
- MD5
  
  2cf2efcc0e1d910d2d9c933ca73055d0
- SHA1
  
  3bb08f4532f80bf0cd5a36f26393ba00beadb8eb
- SHA256
  
  2475c46eba856424c41cf41db71fd5d6089e8be9031b35279f051da760aa216f
- SHA512
  
  e16ca929bf2c7654251b02946fa7954f89971a27750e05c502acede063a55d88df16fb297c40c7bf54e04ea173cb6c3527e65ca98ad2280543e00e9ef6fa9390
- SSDEEP
  
  3072:ubvh/X2z7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yi:ubvhPi7BqjjYHdrqkL/
Score

10^/10

arrowrat identifier rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
behavioral10 behavioral9
- Target
  
  Plugins/EVa7gBMKoaHmLC.dll
- Size
  
  170KB
- MD5
  
  64a3d908b8a5feff2bccfc67f3a67dbd
- SHA1
  
  a17d7e5fa57c99a067cac459cb507b625dac254e
- SHA256
  
  6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1
- SHA512
  
  66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc
- SSDEEP
  
  3072:/bFHKx2Vpgdk6BCNs19kPVoPsb7oR4ZkvEfxMxf4t8BkVb0Uc:/TVpgdkpNs19I6Pe7oR4ZAEfx+LiVb
Score

1^/10
behavioral11 behavioral12
- Target
  
  Plugins/FBSyChwp.dll
- Size
  
  170KB
- MD5
  
  0d41ccfaa8e7ef96248b8270d1a44d08
- SHA1
  
  6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326
- SHA256
  
  0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3
- SHA512
  
  a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e
- SSDEEP
  
  3072:OXwOuoHBhyYr+x5IA+1gUtaEKJ8px4e1hkamm9RyxLeN/dIfMU+:awOuYr05T+KUtaEKJ8px4e1RmqRydeNd
Score

1^/10
behavioral13 behavioral14
- Target
  
  Plugins/G3nl0mDcABnDuZ.dll
- Size
  
  177KB
- MD5
  
  97b8bec4c47286e333cc2bedacf7338e
- SHA1
  
  764bbd0307924b71ca89538b42996208d10c9b91
- SHA256
  
  060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de
- SHA512
  
  a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf
- SSDEEP
  
  3072:EaEk8xLhWuo2alMFVxzPUBvRNHosrO0/1gRR0foQPssGeWSz89:EaEk8PRo2al0DzPUxvHtrN1gROffPfGl
Score

1^/10
behavioral15 behavioral16
- Target
  
  Plugins/K8oCBS3ThnW0WP.dll
- Size
  
  373KB
- MD5
  
  1681e0f3311751361030ff30a957a1ed
- SHA1
  
  8f3b55e130af507549817fda37474a1391e6b8f2
- SHA256
  
  234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4
- SHA512
  
  60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1
- SSDEEP
  
  6144:qPcVUKQh7PTlFOEPDDeXmCIW89SQsgy/mVHeiOA7+Yi4kZd:qEVoVn2Xa9Say+b+Yi4kr
Score

1^/10
behavioral17 behavioral18
- Target
  
  Plugins/KNTmoSnG.AnarHs.dll
- Size
  
  373KB
- MD5
  
  1681e0f3311751361030ff30a957a1ed
- SHA1
  
  8f3b55e130af507549817fda37474a1391e6b8f2
- SHA256
  
  234724f14dbb999853aeb872d7e6c3ed0b3de5b105009b5c66131a2af8d0dbb4
- SHA512
  
  60690b2c1e2816a640f5763f9c20de9a39cb9735ea4a3f0bf4f477d3e184f8791e556313a7523c70ed2fb9182d520842bce70057cedd5cb89b923fd6f9067dd1
- SSDEEP
  
  6144:qPcVUKQh7PTlFOEPDDeXmCIW89SQsgy/mVHeiOA7+Yi4kZd:qEVoVn2Xa9Say+b+Yi4kr
Score

1^/10
behavioral19 behavioral20
- Target
  
  Plugins/PK0TcnqTGFagQTS.dll
- Size
  
  174KB
- MD5
  
  fa90a2aee0d172000257c4faca31237c
- SHA1
  
  b317281b4acaaf1d7b7255c5e92887322abae892
- SHA256
  
  991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49
- SHA512
  
  b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405
- SSDEEP
  
  3072:Z60dHpQssTFrcpvZFlOJA3YCVbbME5f8YpIVbltkksqBRbRw:xPsZcpvZFlOJA3VVbbME5f7pIVbTkkZJ
Score

1^/10
behavioral21 behavioral22
- Target
  
  Plugins/Recovery.dll
- Size
  
  309KB
- MD5
  
  08131d6801c109f0764a4fe690aba8ef
- SHA1
  
  e732af02326483700eda52ff40dc70cff6b7afcb
- SHA256
  
  bc3a9390c043f8002e356ad34b2b11d3486682d0c275ab6729bb4a312e324f51
- SHA512
  
  228ab0aa0ddfdb0c099f1db5112304d776cb97ab2dab376d38023e446cb2aec30d9585eba444818f3241ffbc28565a1aef11f97b5b42bf57037de8e4a8536e2a
- SSDEEP
  
  6144:sb8xPy7+NKMDMAlcn38OxKl9x7qs9Pxcm0AUNy9rsxLaxHUX:sbBMDMVqfBdcmDBuX
Score

1^/10
behavioral23 behavioral24
- Target
  
  Plugins/RssCnLKcGRxj.dll
- Size
  
  181KB
- MD5
  
  f6808c4fbbe0275db03b2cc5b4c2bc0d
- SHA1
  
  e40b61c64c68f72fc5144f5057d54229babdecf8
- SHA256
  
  e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248
- SHA512
  
  f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4
- SSDEEP
  
  3072:P1F3B6k7/u/cVnvqtXEIGyv5LBPcwk4V9KIgBH/cNw5/UzUYNv:P1F0kDu/+WX8yhLBPcwk4SIgBH/Yw58P
Score

1^/10
behavioral25 behavioral26
- Target
  
  Plugins/WkUP83aP9CABpi.dll
- Size
  
  175KB
- MD5
  
  3100ead33f5672e8ecae7b0b32d5fa28
- SHA1
  
  048b5e3956c19290e0d3212138fe8f8be04a05d9
- SHA256
  
  0f6c930b39e5a4c7fcba75876c443307d4927015d2a48511818ccbfaa95ca2f4
- SHA512
  
  fe1167a211cb745a0a98f58da2a517f8b1769e887b9869680fe78cdf22bec20bfee22b8c9453a9a4eef7c9b474ed88300be854b39a78ff9d3828e76d98021ae8
- SSDEEP
  
  3072:AD+L0wKJm4DFpA8WNyhOiYJi09NuUXJvyn/s9NtyGhho+/FuYfxH4YmAORn:UQIJ1DFpA8WNycifMJvyn/s9NtyGhho7
Score

1^/10
behavioral27 behavioral28
- Target
  
  Plugins/fzAgyDYa.AnarHs
- Size
  
  181KB
- MD5
  
  21aaf842f7518fdc7038c09a78292c7e
- SHA1
  
  ff68658d3c1d6aecf1bb0e41c0e62c7dec24885f
- SHA256
  
  f0a82d67f8b53de0915c2c8853e47b191aa24be180c398f61c5332e558094e4a
- SHA512
  
  1cfe3bcc66ad0aeb9fca5d74253dba2efcf777ee15266828edb0d4a196f9a6e41871c51fc4eb0d7022b8183e768a62b38dfe974f7a65a2e259141eeb93a88458
- SSDEEP
  
  3072:A3NNnhy2Yt+HCQKrPCrCihOZNPd14hlaWWfiooIbuTyXb3tk:Ge2Yt+XKrOCsed14hlh5tIbueXb
Score

1^/10
behavioral29 behavioral30
- Target
  
  Plugins/mML6WKMqdxjDGA.dll
- Size
  
  173KB
- MD5
  
  e03b206eec8a7efbd1a47909071226e5
- SHA1
  
  21163989ea524920e874bc7932adfcd5e94f854e
- SHA256
  
  778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965
- SHA512
  
  831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff
- SSDEEP
  
  3072:5nkYlKsdY6RwiYNF7Bs2GEEg+9D8RZW7iKcnQy/dh1CWMEPrhBSepT/9HxW2Je:5nkrsdYUwiYNF722GEb+uRZWhcQy/71H
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Contains code to disable Windows Defender

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32