arrowrat | 5a45e4a32a4f2081b33dee2ab94eb3ebb4afafe0bd8f5b76e93dfe975c4a607c | Triage

Sharing

General

Target

bJ99.exe
Size

138KB
Sample

230305-3kzxxahc8z
MD5

2f73fdfb8140276968f2c1b358e5edf0
SHA1

160ec42cd31c98fdd91c8a837be32757b2b9af92
SHA256

5a45e4a32a4f2081b33dee2ab94eb3ebb4afafe0bd8f5b76e93dfe975c4a607c
SHA512

65c2ac40557d94cf715d720a3774547f10253fe00071cd6e1824f6304f02187e26184b7c064e8c5d0526bd8650e5854bae283cb080ea17ef3d007f28b0d477f3
SSDEEP

3072:+bvY5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yh:+bvwS7BqjjYHdrqkL/

Score

10^/10

arrowrat ojg36c persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

OJG36C

C2

mayo21.duckdns.org:2158

Mutex

NT7WTE

Targets

- Target
  
  bJ99.exe
- Size
  
  138KB
- MD5
  
  2f73fdfb8140276968f2c1b358e5edf0
- SHA1
  
  160ec42cd31c98fdd91c8a837be32757b2b9af92
- SHA256
  
  5a45e4a32a4f2081b33dee2ab94eb3ebb4afafe0bd8f5b76e93dfe975c4a607c
- SHA512
  
  65c2ac40557d94cf715d720a3774547f10253fe00071cd6e1824f6304f02187e26184b7c064e8c5d0526bd8650e5854bae283cb080ea17ef3d007f28b0d477f3
- SSDEEP
  
  3072:+bvY5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/Yh:+bvwS7BqjjYHdrqkL/
Score

10^/10

arrowrat ojg36c persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratojg36cpersistencerat

behavioral2

arrowratojg36cpersistencerat