arrowrat | abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd | Triage

Sharing

General

Target

222.txt
Size

457KB
Sample

230517-w5a1ysfb3z
MD5

5ff1aded34d5d6f0635f6f9861436886
SHA1

d798ff38d279754353ee88ff35bf46a87dc75484
SHA256

abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
SHA512

b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
SSDEEP

6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL

Score

10^/10

arrowrat client persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

185.252.178.121:1337

Mutex

qCDAaGyIF

Targets

- Target
  
  222.txt
- Size
  
  457KB
- MD5
  
  5ff1aded34d5d6f0635f6f9861436886
- SHA1
  
  d798ff38d279754353ee88ff35bf46a87dc75484
- SHA256
  
  abf2dcd61f4a9717e372e32dcfcb02831e51130f4a91fa87bb7954785db435fd
- SHA512
  
  b3d6b951c3130e8a834744cbebc78208b9e1393517ca40e4e3a5bdf391cb1c05c4a23ee88aaac61b1be5a163811069d97ecfdf372457607cc3716ea11a6d8402
- SSDEEP
  
  6144:6VDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nx2:snND98MDL
Score

10^/10

arrowrat client persistence rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

arrowratclientpersistencerat