arrowrat | f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2 | Triage

Submit
Reports

Overview

overview

Static

static

Client.exe

windows10-2004-x64

Sharing

General

Target

Client.exe
Size

157KB
Sample

230228-b3fs7sgg41
MD5

c4d6588bee90ee0c7dd9b674199b0302
SHA1

a3b5f94a66b3198046fec3dd72c0399b6767e5d3
SHA256

f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2
SHA512

24b7ccf87ec5cc5e3af783a6500b1de4f8a381f31e0baf96f7755cca2a92afee310bcfb3c3bf8b7c033f4161f9b53bbcbd605ee281861e3cd59727870e795a8f
SSDEEP

3072:+bR3+0O5VbFHexuiCrK0ovzNC0Fie+5cVjvn+sZCh8/QbHb68Y:+bRu0OLoxuiCNovpke+cvnOaQ68

Score

10^/10

arrowrat client persistence rat

Static task

static1

client arrowrat

1 signatures

Behavioral task

behavioral1

Sample

Client.exe

Resource

win10v2004-20230220-en

arrowrat client persistence rat

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

194.ip.ply.gg:54552

Mutex

oWzurbWMF

Targets

- Target
  
  Client.exe
- Size
  
  157KB
- MD5
  
  c4d6588bee90ee0c7dd9b674199b0302
- SHA1
  
  a3b5f94a66b3198046fec3dd72c0399b6767e5d3
- SHA256
  
  f902c427484c65c3bcd1543072e4c53da376a7ba6151fb6d1ccd990bb7a94be2
- SHA512
  
  24b7ccf87ec5cc5e3af783a6500b1de4f8a381f31e0baf96f7755cca2a92afee310bcfb3c3bf8b7c033f4161f9b53bbcbd605ee281861e3cd59727870e795a8f
- SSDEEP
  
  3072:+bR3+0O5VbFHexuiCrK0ovzNC0Fie+5cVjvn+sZCh8/QbHb68Y:+bRu0OLoxuiCNovpke+cvnOaQ68
Score

10^/10

arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientpersistencerat

© 2018-2025

Terms | Privacy