arrowrat | d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563 | Triage

Submit
Reports

Overview

overview

Static

static

1

111.exe

windows10-2004-x64

Sharing

General

Target

111.exe
Size

1.2MB
Sample

230228-cdme5aha42
MD5

e27749108c213382a99148b1e8db141d
SHA1

342fff490afc93461090c3d096092de7799cedb7
SHA256

d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563
SHA512

e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4
SSDEEP

24576:yJTlBHCmG+3FLG2ffq44sR7auN9pEYXwhyYM/D/WSLkoAhP9FPZ1aKdw:6lVCgLJfqp47awp0h1yLDLJIlFWgw

Score

10^/10

arrowrat client persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

111.exe

Resource

win10v2004-20230220-en

arrowrat client persistence rat

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

194.ip.ply.gg:54552

Mutex

oWzurbWMF

Targets

- Target
  
  111.exe
- Size
  
  1.2MB
- MD5
  
  e27749108c213382a99148b1e8db141d
- SHA1
  
  342fff490afc93461090c3d096092de7799cedb7
- SHA256
  
  d65bbb5f627ce7367a8f7e391a03b819f800f6606908e9423c791844ff129563
- SHA512
  
  e8f1cf8e69435c3bd0265044d3fa03ae2b3f8ffac5ef1b4ffadc2db7b0cb38c804eaed12b9af90936db785fecb2039b77f869e7fa96f02f9aebacca2aecc7bb4
- SSDEEP
  
  24576:yJTlBHCmG+3FLG2ffq44sR7auN9pEYXwhyYM/D/WSLkoAhP9FPZ1aKdw:6lVCgLJfqp47awp0h1yLDLJIlFWgw
Score

10^/10

arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies WinLogon for persistence
  persistence
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientpersistencerat

© 2018-2025

Terms | Privacy