arrowrat | 17a76858f5bba3812b8f429e261ba0e84baf8197fe1f4478aa6c7adc5d8dd6ff | Triage

Sharing

General

Target

bDiL.exe
Size

138KB
Sample

230305-3kzxxahh53
MD5

fcc0c059b3a4b6f9f865fcde362b9acb
SHA1

23edfe65a519d095ca11f3987bfe6de661953f49
SHA256

17a76858f5bba3812b8f429e261ba0e84baf8197fe1f4478aa6c7adc5d8dd6ff
SHA512

0ebd9972df18c0de58077dceaf0e9618e4e6c004d53775272c8db9613a8db90834e10a255213f55ff492ae489498cc9bdbecf386986cdb1d5a0d2cfe45785b43
SSDEEP

3072:2bvt5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YO:2bv7S7BqjjYHdrqkL/

Score

10^/10

arrowrat il61hb persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

IL61HB

C2

windowsii.duckdns.org:1338

Mutex

3W69EU

Targets

- Target
  
  bDiL.exe
- Size
  
  138KB
- MD5
  
  fcc0c059b3a4b6f9f865fcde362b9acb
- SHA1
  
  23edfe65a519d095ca11f3987bfe6de661953f49
- SHA256
  
  17a76858f5bba3812b8f429e261ba0e84baf8197fe1f4478aa6c7adc5d8dd6ff
- SHA512
  
  0ebd9972df18c0de58077dceaf0e9618e4e6c004d53775272c8db9613a8db90834e10a255213f55ff492ae489498cc9bdbecf386986cdb1d5a0d2cfe45785b43
- SSDEEP
  
  3072:2bvt5mz7Bqh1v59Y08mAjs0Ltel+qOeJHlpV8b+Y/YO:2bv7S7BqjjYHdrqkL/
Score

10^/10

arrowrat il61hb persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratil61hbpersistencerat

behavioral2

arrowratil61hbpersistencerat