arrowrat | 87e904893a81c4ca7daa3fa4ddcb69527db3ad5d7c147dfd1dec6c5a333587f9 | Triage

Sharing

General

Target

288a04f04d9fc3e84ff5b2402.bin
Size

394KB
Sample

230630-nt53yshb55
MD5

b29abd43e837415e411d0b0fd7c483dc
SHA1

13bcc99d540eb775f5b96c335fee8752a54384ea
SHA256

87e904893a81c4ca7daa3fa4ddcb69527db3ad5d7c147dfd1dec6c5a333587f9
SHA512

72ae93c144c30b14925fb50b15c3de7a9bed9d4306fb4939721a58b9b81e5d052ae88d7c863b6ba7e24c8388a3522a35d1264ede181371cad83cca7e87853adf
SSDEEP

12288:hH+TD/ZQde1neJ1OQQHTe57e39R0A015KtN:hwBQsu1OQTA015KtN

Score

10^/10

arrowrat client rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client

C2

212.224.86.109:1337

Mutex

mTiBFWwWe

Targets

- Target
  
  cd15fbc9e839dbc2888b3e72c47827e09a8bc50038a509f138c266ebcf2f3ed6.exe
- Size
  
  457KB
- MD5
  
  288a04f04d9fc3e84ff5b2402c8050b1
- SHA1
  
  8e0b920bb33920e298ac9f73ab4b7ea0bbdfdbf2
- SHA256
  
  cd15fbc9e839dbc2888b3e72c47827e09a8bc50038a509f138c266ebcf2f3ed6
- SHA512
  
  928b111cfb151ad8967e1bde8e1e17ab592f0312f3883b1faf6578401b49cc741dde7ae426ee1ef7d8c985b3e4d4b287ccabaf01ea3841f8438d4dc993d9b5fb
- SSDEEP
  
  12288:QkoPbgRuF1R5u7w1eTe5XxLvZNOujzAKv546Q4dPHm:QkEb4E5u7w8Te5XxLhN9l54r4dHm
Score

10^/10

arrowrat client rat
- ArrowRat
  Remote access tool with various capabilities first seen in late 2021.
  rat arrowrat
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

arrowratclientrat

behavioral2