arrowrat | 6da2463344288a1cf81824cd298a9b0174d4047338e3aee709f571778a36975e | Triage

Sharing

General

Target

script1.ps1
Size

146KB
Sample

230607-j9nrdshb98
MD5

ba2c6700dcee98c3846b17e75055ae42
SHA1

eb015596df00824c43b85697f42edc6e06e3434a
SHA256

6da2463344288a1cf81824cd298a9b0174d4047338e3aee709f571778a36975e
SHA512

da0e610460b81ec7b4dc97bc4b1cf713b20bf65da5da7f29725f0824efcdeb6845381a30f99780620fd9af9236023b588b04248d674d1f656dcf084a66a46aa2
SSDEEP

3072:i4XCO9qkexRjX+NFMl9nm8lR7y/uIa+Uz6jeWsxf/koyr:ieCaez+Nel9nfp+ozf8nr

Score

10^/10

arrowrat client rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

185.252.178.121:1337

Mutex

qCDAaGyIF

Targets

- Target
  
  Device/HarddiskVolume1/Users/strial_tenant/Downloads/script1.ps1
- Size
  
  457KB
- MD5
  
  6cf32568a97a0cb8fe75acbe6cac8db2
- SHA1
  
  80e1d3113e12220910c5419abfa35aeaa7f3a0b1
- SHA256
  
  e34d98ea875e0ba6842ad296ebf6ea8fc908c6988fe50d7bf5cbb86787d73171
- SHA512
  
  5571adfcb274c58acae6b2dd629efe470fed23c3732507f15a46d5b00a99f186f922a0797ef1ccd0de8d5b7681f305521d1edebf990726bbf5fa5a8b464b0ddb
- SSDEEP
  
  6144:UVDFV/A8nNKmbcRTUufYbE6N4tDeaBfLo1sHsl9yS/M0HixBNqrpB92bMDsA4nxX:mnND98MDe
Score

10^/10

arrowrat client rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

arrowratclientrat