General
-
Target
x2xFapxhdTcU.exe
-
Size
138KB
-
Sample
230305-3gjfrahc7z
-
MD5
f24c263ecf54962af2a2ae5e7f5b139e
-
SHA1
ae62b6a2729f55c70e682247b1eafe09c4e03890
-
SHA256
e37964ebdb10d9e06d3aa47b5ca1500571e13f582d50add487110c7abb26a76c
-
SHA512
efb571f03a200b2038f19dae2866e0e68e510b84b040b3a438cf6be2850ce7305cd1635fd9bac6321a7203a35492483dffa07b0d72308c659e3e724023ae691b
-
SSDEEP
3072:+bvB5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YI:+bvPS7BqjjYHdrqkL/
Malware Config
Extracted
arrowrat
JB0QWL
antgobec.duckdns.org:1338
3PDHTO
Targets
-
-
Target
x2xFapxhdTcU.exe
-
Size
138KB
-
MD5
f24c263ecf54962af2a2ae5e7f5b139e
-
SHA1
ae62b6a2729f55c70e682247b1eafe09c4e03890
-
SHA256
e37964ebdb10d9e06d3aa47b5ca1500571e13f582d50add487110c7abb26a76c
-
SHA512
efb571f03a200b2038f19dae2866e0e68e510b84b040b3a438cf6be2850ce7305cd1635fd9bac6321a7203a35492483dffa07b0d72308c659e3e724023ae691b
-
SSDEEP
3072:+bvB5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YI:+bvPS7BqjjYHdrqkL/
Score10/10-
ArrowRat
Remote access tool with various capabilities first seen in late 2021.
-
Modifies WinLogon for persistence
-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-