arrowrat | 65403a8b9ecca912ea5cfa91aecdbe77c23e652e4c7465efded126c74711f65e | Triage

Sharing

General

Target

bEle.exe
Size

138KB
Sample

230305-3kelzahh47
MD5

11b99c53b1e6030355af231a3a7fa65b
SHA1

50b4a627dd808c1e332c2803286234f37e46bc2d
SHA256

65403a8b9ecca912ea5cfa91aecdbe77c23e652e4c7465efded126c74711f65e
SHA512

33a134c15708651e725daf0c834a01d970718f90109db275c38dbfd0501486c126d0566ab61cc55f4f47c3e7988483b7b445101b11388cff6399f4815ec63764
SSDEEP

3072:KbvC5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YP:KbvuS7BqjjYHdrqkL/

Score

10^/10

arrowrat 41iuhu persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

41IUHU

C2

6.tcp.eu.ngrok.io:15821

Mutex

S2TDUW

Targets

- Target
  
  bEle.exe
- Size
  
  138KB
- MD5
  
  11b99c53b1e6030355af231a3a7fa65b
- SHA1
  
  50b4a627dd808c1e332c2803286234f37e46bc2d
- SHA256
  
  65403a8b9ecca912ea5cfa91aecdbe77c23e652e4c7465efded126c74711f65e
- SHA512
  
  33a134c15708651e725daf0c834a01d970718f90109db275c38dbfd0501486c126d0566ab61cc55f4f47c3e7988483b7b445101b11388cff6399f4815ec63764
- SSDEEP
  
  3072:KbvC5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YP:KbvuS7BqjjYHdrqkL/
Score

10^/10

arrowrat 41iuhu persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

arrowrat41iuhupersistencerat

behavioral2

arrowrat41iuhupersistencerat