General

  • Target

    Client.exe

  • Size

    158KB

  • Sample

    230522-knzgfahh5z

  • MD5

    ae1a31fccddf3c728479e181ee16c74b

  • SHA1

    767c87adcd18546e3ae40d781579071f7f8035a2

  • SHA256

    279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342

  • SHA512

    9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905

  • SSDEEP

    3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

6.tcp.eu.ngrok.io:19154

Mutex

Runtime Broker

Targets

    • Target

      Client.exe

    • Size

      158KB

    • MD5

      ae1a31fccddf3c728479e181ee16c74b

    • SHA1

      767c87adcd18546e3ae40d781579071f7f8035a2

    • SHA256

      279e15cb4ddbb440f1dbffe4f8af8430201971d59c1f40a58a12f81e4f59b342

    • SHA512

      9343ad9da7db4a6f8eb2bd78505bcce18d026de7cdc520864090b130d8d395b0edfc26c456bb4ec554cbd7473ea8cb14302b5a4e91a2072f81f219c97cc81905

    • SSDEEP

      3072:TbzmH+0OoCthfbEFtbcfjF45gjryKKqH6JY2doszEmQotEPPcfPP1O8Y:Tbzme0ODhTEPgnjuIJzo+PPcfPPY8

    • ArrowRat

      Remote access tool with various capabilities first seen in late 2021.

    • Modifies WinLogon for persistence

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Registers COM server for autorun

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks